Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add preferred chain option #42

Closed
johnlinvc opened this issue Nov 5, 2020 · 4 comments · Fixed by #47
Closed

Add preferred chain option #42

johnlinvc opened this issue Nov 5, 2020 · 4 comments · Fixed by #47
Assignees
@sorah

Comments

@johnlinvc
Copy link

Purpose

LE is switching to ISRG root on January 11, 2021 1. It'll be handy if we can have an option to test the new chain before that date.
Certbot have the --preferred-chain option that can specify the chain of the certs. 2 3

Changes

Add a preferred-chain option in either order command or in acmesmith.yaml

I'd like to submit a PR after we decided which approach we want.
@sorah
Copy link
Owner

sorah commented Nov 5, 2020
edited

Hi, I prefer having a configuration in acmesmith.yaml, and it should be the only way to configure alternate chain preference.

It sounds nice to have one-off option in order subcommand, but note that acmesmith also has autorenew subcommand... by considering when multiple certificate chains are in use, having one-off command just in order might be insufficient. If autorenew can determine a chain automatically, having a flag at order subcommand would be accepted.

PR is welcomed!

@johnlinvc
Copy link
Author

Agree that the config should be in acmesmith.yaml. And it should have the filter system just like the challenge responders. So that we can migrate certs gradually.

Another use case of this feature is to stay on the old chain after the switch.

Proposed format in acmesmith.yaml

preferred_chains:
  - root: "ISRG Root X1" #or root_certificate ?
     ### Filter (optional)
    filter:
      subject_name_exact:
        - my-app.example.com
      subject_name_suffix:
        - .example.org
      subject_name_regexp:
        - '\Aapp\d+.example.org\z'

@sorah
Copy link
Owner

sorah commented Nov 5, 2020

Nice. I'd name root_issuer for the root param.

@stale
Copy link

stale bot commented Dec 5, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the rotten label Dec 5, 2020
@stale stale bot closed this as completed Dec 12, 2020
@sorah sorah reopened this Oct 31, 2021
@stale stale bot removed the rotten label Oct 31, 2021
@sorah sorah self-assigned this Oct 31, 2021
sorah added a commit that referenced this issue Oct 31, 2021
@sorah
Chain preference configuration
923329c 
Closes #42
@sorah sorah mentioned this issue Oct 31, 2021
Merged
@sorah sorah closed this as completed in #47 Oct 31, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sorah sorah

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Chain preference configuration sorah/acmesmith
2 participants
@sorah @johnlinvc