acme-client icon indicating copy to clipboard operation
acme-client copied to clipboard

Obsolete Let's Encrypt note in README.md?

Open GProst opened this issue 3 years ago • 4 comments

Is this still accurate info? https://github.com/unixcharles/acme-client#ordering-an-alternative-certificate I believe Let's Encrypt decided to not switch chains so it should continue working with the default chain? Links:

  • https://letsencrypt.org/2020/12/21/extending-android-compatibility.html
  • https://community.letsencrypt.org/t/production-chain-changes/150739

So it seems like order.certificate should work and no changes needed, am I correct?

GProst avatar Aug 04 '21 17:08 GProst

BTW, we're having an issue because order.certificate uses alternative short chain that's not supported by old Android devices, calling order.certificate(force_chain: 'DST Root CA X3') doesn't help, it still uses the short chain without 'DST Root CA X3' for some reason...

GProst avatar Aug 04 '21 18:08 GProst

Ah, nevermind the second comment, our code just assumed that the chain consists of 2 certs for some reason and the third one was skipped. Didn't know it would work...

GProst avatar Aug 04 '21 19:08 GProst

force_chain has opposite issue. It always download 'DST ROOT CA X3' chian :/ There could be something like this..

class Acme::Client
  class ChainIdentifier
    def match_name?(name)
      issuers.last.include?("/CN=#{name}") if issuers.any?
    end
  end
end

beam avatar Sep 30 '21 21:09 beam

@beam Thanks for that solution, worked great for us.

EXPECTED_TERMINAL_CERT_CN = 'ISRG Root X1'
order.certificate(force_chain: EXPECTED_TERMINAL_CERT_CN)

robbat2 avatar Oct 28 '21 03:10 robbat2

Closing since its not too relevant nowadays.

I would be open to add a method to download alternate certificates from the alternate http header and let the end user figure out which cert they want to use if that useful to anyone.

unixcharles avatar Jan 16 '24 19:01 unixcharles