Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] acme_certificate: allow to download alternate certificate chains #56334

Open
wants to merge 2 commits into
base: devel
from

Conversation

Projects
None yet
2 participants
@felixfontein
Copy link
Contributor

commented May 12, 2019

SUMMARY

Background: Let's Encrypt announced that they want to switch to the new ISRG root certificate this summer, i.e. they will start delivering the intermediate certificate signed by their own root and not by the IdenTrust root. The consequence is that Let's Encrypt certs using this chain won't be supported by a lot of older devices and browsers which support the IdenTrust root, but not the ISRG root. (Support for the IdenTrust root is listed here, there is unfortunately no similar listing of devices/browsers supporting the new root, except the statement here.) There have been some discussions about this (here, here).

Anyway, the ACME protocol offers a way for CAs to offer alternative chains, and my hope is that Let's Encrypt will use that feature of the protocol to still deliver the old intermediate certificate. That would allow ACME clients to offer the "old" chain to the users without ugly hacks (see here for an example).

This is an experimental branch to play around with downloading alternate chains. Works so far with letsencrypt/pebble#234

ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

acme_certificate

@ansibot

This comment has been minimized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.