Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Preferred chain: LetsEncrypt Subscriber Certificate < – R3 < – ISRG Root X1 #808

Closed
heffergm opened this issue Mar 15, 2021 · 4 comments
Closed

Preferred chain: LetsEncrypt Subscriber Certificate < – R3 < – ISRG Root X1 #808

heffergm opened this issue Mar 15, 2021 · 4 comments

Comments

@heffergm
Copy link

As relates to https://letsencrypt.org/2020/12/21/extending-android-compatibility.html, it sounds like there is presently no way to select the alternate chain LE is going to offer (Subscriber Certificate < – R3 < – ISRG Root X1). Is this something that's in the works?
@lukas2511
Copy link
Member

This is already supported in the newest version.

Either as CLI argument:

--preferred-chain issuer-cn Use alternative certificate chain identified by issuer CN

Or via a config parameter:

# Preferred issuer chain (default: <unset> -> uses default chain)
#PREFERRED_CHAIN=

@heffergm
Copy link
Author

heffergm commented Mar 17, 2021
edited

So, the question arose due to this note from LetsEncrypt:

What about the alternate chain? Today, some ACME clients are able to instead request an alternate chain, if their user has 
configured it. We currently provide the option of getting the chain: Subscriber Certificate < – R3 < – ISRG Root X1 We will 
continue to offer this same chain as an alternate. However, note that most ACME clients don’t yet have a way to select this 
alternate chain (for example, Certbot selects chains by looking to see if they contain a given Issuer Name, but this chain 
doesn’t contain any Issuer Names which the high compatibility chain above doesn’t). We’ll be working with ACME client 
developers to create more flexible chain selection mechanisms going forward.

Specifically, the note about "no acme clients having a way to select this alternate chain...". If the existing preferred-chain option in dehydrated doesn't suffer this issue, that's great.

@lukas2511
Copy link
Member

My current implementation just travels up the trust chain until it gets to the uppermost issuer certificate, which in this case should be DST Root CA X3 by default, or ISRG Root X1 as alternative, and those names should be selectable by the mentioned parameters.

[...] available options: DST Root CA X3, ISRG Root X1

@mckaygerhard mckaygerhard mentioned this issue Nov 17, 2022
Closed
@mckaygerhard
Copy link

Specifically, the note about "no acme clients having a way to select this alternate chain...". If the existing preferred-chain option in dehydrated doesn't suffer this issue, that's great.

it seems that is the case, cos i checked my cert at the browsers and still shows R3 as issuer.. check #892 or i dont know how is the workflow of those mechanish?

configured it. We currently provide the option of getting the chain: Subscriber Certificate < – R3 < – ISRG Root X1 We will continue to offer this same chain as an alternate. However, note that most ACME clients don’t yet have a way to select this alternate chain (for example, Certbot selects chains by looking to see if they contain a given Issuer Name, but this chain doesn’t contain any Issuer Names which the high compatibility chain above doesn’t). We’ll be working with ACME client developers to create more flexible chain selection mechanisms going forward.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lukas2511 @heffergm @mckaygerhard