Alternate chain X1

[DavidFromNL]

Would it be possible to look into implementing alternate trust paths please? Last week LetsEncrypts DST Root CA X3 expired, causing a lot of trouble for older SSL implementations, especially on servers. There's a really easy fix available: using an alternate trust path. While this breaks Android-4 trust it fixes trust for OpenSSL/LibreSSL.

When you download the certificates in the last step, the ACME server may provide a header in this format:
link: https://acme-v02.api.letsencrypt.org/acme/cert/0123456789abcdef0123456789abcdef/1;rel="alternate"
That is the link to an alternative trust path that a sysadmin may choose to use instead of the default path.

Resources:
https://letsencrypt.org/2020/12/21/extending-android-compatibility.html
https://datatracker.ietf.org/doc/html/rfc8555#section-7.4.2

I created a quick and dirty fix that suits my needs, but it would be great if this were a supported feature.

[skoerfgen]

Thanks for your feedback!

I added a new method getCertificateChains to get an array of all chains.

Currently you can find the modification in the alternate_chains branch. I'm going to merge it into master soon, when testing is complete.

Usage:

$ret=$ac->getCertificateChains('file://'.'cert_private_key.pem',$domain_config,$handler);
if (isset[$ret['ISRG Root X1']]){ // use alternate chain 'ISRG Root X1'
  file_put_contents('fullchain.pem',$ret['ISRG Root X1']);
}else{ // use default chain if 'ISRG Root X1' is not present
  file_put_contents('fullchain.pem',reset($ret));
}

[skoerfgen]

@DavidFromNL

Update: Version 3.1.0 has been released, which now contains the new method!

[DavidFromNL]

Awesome! Thanks for this work!