add --preferred-chain flag to select alternate ACME certificate chains#310
Open
baru wants to merge 1 commit into
Open
add --preferred-chain flag to select alternate ACME certificate chains#310baru wants to merge 1 commit into
baru wants to merge 1 commit into
Conversation
Some CAs, including Let's Encrypt, offer multiple chains via Link: rel="alternate" headers in the ACME certificate response. The default chain for newer intermediates (YR2, E5, E6, R10, R11) may omit cross-signed intermediates that constrained clients require. Example: --preferred-chain "ISRG Root X1" selects the Let's Encrypt chain that includes ISRG Root YR, fixing incomplete-chain errors on clients without AIA support.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Let's Encrypt serves multiple chains via
Link: rel="alternate"headers. The default chain for YR2-signed certs omitsISRG Root YR, a cross-signed intermediate. Clients that don't perform AIA chasing reject the connection. certbot has--preferred-chainfor this; acme-tiny doesn't.This PR adds the flag. It walks the alternate-link headers and returns the first chain whose issuer fields contain the given string, falling back to the default chain if nothing matches — fully backwards-compatible.
Verified on a live YR2 domain: chain goes from 2 to 3 certs with the flag set. Existing test suite passes unchanged. The line count increases from 200 to 212; I propose to relax
test_module_linecountto<= 215.