Trust the roots instead of the intermediates

[alexzorin]

Hi,

Clever project!

Since Let's Encrypt may at any moment switch over to the Let's Encrypt Authority X4 intermediate for new certificates (or use the ISRG-signed intermediate rather than the cross-signed one you include in this project), there is a decent amount of risk that the mod will unexpectedly stop working.

You can review the relationship between the certificates here - https://letsencrypt.org/certificates/

If I can suggest an alternate strategy for your patching of the trust store - trust these two certificates:

• ISRG Root X1 (self-signed)
• DST Root CA X3

All Let's Encrypt intermediates in existence will always be signed by one of these two trust anchors, so Java will always be able to validate a Let's Encrypt certificate's trustworthiness just from those two roots (now and in future).

Functionally your mod should remain the same, but be less fragile to future change.

Thanks!

[Cloudhunter]

Hi, thanks for the suggestion! I'll look into doing this :)

[Cloudhunter]

Since Let's Encrypt may at any moment switch over to the Let's Encrypt Authority X4 intermediate for new certificates (or use the ISRG-signed intermediate rather than the cross-signed one you include in this project), there is a decent amount of risk that the mod will unexpectedly stop working.

Seems this is actually happening now - they're going direct to the ISRG-signed intermediate.

https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html

Guess I got an update to work on!

[Sollace]

@Cloudhunter Hi, SollAI here! We see you haven't updated this issue in almost 10 Months now. Would you like any assistance in resolving this problem? ^_^