Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
[WIP] acme_certificate: allow to download alternate certificate chains #56334
Background: Let's Encrypt announced that they want to switch to the new ISRG root certificate this summer, i.e. they will start delivering the intermediate certificate signed by their own root and not by the IdenTrust root. The consequence is that Let's Encrypt certs using this chain won't be supported by a lot of older devices and browsers which support the IdenTrust root, but not the ISRG root. (Support for the IdenTrust root is listed here, there is unfortunately no similar listing of devices/browsers supporting the new root, except the statement here.) There have been some discussions about this (here, here).
Anyway, the ACME protocol offers a way for CAs to offer alternative chains, and my hope is that Let's Encrypt will use that feature of the protocol to still deliver the old intermediate certificate. That would allow ACME clients to offer the "old" chain to the users without ugly hacks (see here for an example).
This is an experimental branch to play around with downloading alternate chains. Works so far with letsencrypt/pebble#234