-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Alternate chain X1 #34
Labels
enhancement
New feature or request
Comments
Thanks for your feedback! I added a new method getCertificateChains to get an array of all chains. Currently you can find the modification in the alternate_chains branch. I'm going to merge it into master soon, when testing is complete. Usage: $ret=$ac->getCertificateChains('file://'.'cert_private_key.pem',$domain_config,$handler);
if (isset[$ret['ISRG Root X1']]){ // use alternate chain 'ISRG Root X1'
file_put_contents('fullchain.pem',$ret['ISRG Root X1']);
}else{ // use default chain if 'ISRG Root X1' is not present
file_put_contents('fullchain.pem',reset($ret));
} |
Update: Version 3.1.0 has been released, which now contains the new method! |
Awesome! Thanks for this work! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Would it be possible to look into implementing alternate trust paths please? Last week LetsEncrypts DST Root CA X3 expired, causing a lot of trouble for older SSL implementations, especially on servers. There's a really easy fix available: using an alternate trust path. While this breaks Android-4 trust it fixes trust for OpenSSL/LibreSSL.
When you download the certificates in the last step, the ACME server may provide a header in this format:
link: https://acme-v02.api.letsencrypt.org/acme/cert/0123456789abcdef0123456789abcdef/1;rel="alternate"
That is the link to an alternative trust path that a sysadmin may choose to use instead of the default path.
Resources:
https://letsencrypt.org/2020/12/21/extending-android-compatibility.html
https://datatracker.ietf.org/doc/html/rfc8555#section-7.4.2
I created a quick and dirty fix that suits my needs, but it would be great if this were a supported feature.
The text was updated successfully, but these errors were encountered: