Crypt-LE
Crypt-LE copied to clipboard
Option to setup preferred-chain
Is there any option to setup preferred chain?
like ./certbot certonly --apache -d ${DOMAIN} --dry-run --preferred-chain="ISRG Root X1"
with DST Root CA X3 now expired ?
I believe this might be what you're looking for:
https://github.com/do-know/Crypt-LE#alternative-certificates-support
But let me know if it's not.
That 's not what I meant. I'm not sure if it's by design but Crypt::LE enforces an alternative LE chain. It means that (currently expired) DST root cert is not used in Crypt::LE generated certs
`
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject
CN=somesite.ru', issuer
C=US,O=Let's Encrypt,CN=R3', RSA key 4096 bits, signed using RSA-SHA256, activated2021-10-06 09:17:45 UTC', expires
2022-01-04 09:17:44 UTC', SHA-1 fingerprint `9d937626d3fda258c0911b80fbecf17c63ea0c1f' - Certificate[1] info:
- subject
C=US,O=Let's Encrypt,CN=R3', issuer
C=US,O=Internet Security Research Group,CN=ISRG Root X1', RSA key 2048 bits, signed using RSA-SHA256, activated2020-09-04 00:00:00 UTC', expires
2025-09-15 16:00:00 UTC', SHA-1 fingerprinta053375bfe84e8b748782c7cee15827a6af5a405'
LE cert with DST `
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject
CN=othersite.com', issuer
C=US,O=Let's Encrypt,CN=R3', RSA key 2048 bits, signed using RSA-SHA256, activated2021-09-19 22:02:46 UTC', expires
2021-12-18 22:02:45 UTC', SHA-1 fingerprint `326914f12c9330d49b7ed00ea4dc56eed525a49c' - Certificate[1] info:
- subject
C=US,O=Let's Encrypt,CN=R3', issuer
C=US,O=Internet Security Research Group,CN=ISRG Root X1', RSA key 2048 bits, signed using RSA-SHA256, activated2020-09-04 00:00:00 UTC', expires
2025-09-15 16:00:00 UTC', SHA-1 fingerprint `a053375bfe84e8b748782c7cee15827a6af5a405' - Certificate[2] info:
- subject
C=US,O=Internet Security Research Group,CN=ISRG Root X1', issuer
O=Digital Signature Trust Co.,CN=DST Root CA X3', RSA key 4096 bits, signed using RSA-SHA256, activated2021-01-20 19:14:03 UTC', expires
2024-09-30 18:14:03 UTC', SHA-1 fingerprint933c6ddee95c9c41a40f9f50493d82be03ad87bf'
currently that is a good thing because DST root has expired on 30th of September,
But just for the record
- if Crypt::LE was always enforcing a new alternative chain of trust then a lot of old Android devices were not able to connect to the websites with certs generated by LE::Crypt (and they are currently unable to do it right now)
So an option is required to use DST -> ISRG -> Client authority chain (which is default for certbot)
Please don't change the current default (ISRG Self Signed -> ISRG -> Client)
In short: certbot defaults to : DST -> ISRG -> Client chain when requesting cert from LE and requires an option --preferred-chain="ISRG Root X1" to use the alternative chain without now expired DST
Crypt::LE defaults to ISRG Self Signed ->ISRG -> Client (an alternative chain) and requires an option to go with DST -> ISRG -> Client
Both chains has pros and cons, but JFTR Crypt::LE defaults to the option that turn of a majority of old android devices so may be an option is required to go with DST...