ACME v2: No "up" link in response


#1

After moving to the v2 API we have noticed that we are not receiving the “up” link in the header from the response. Is there something we can include in our request to get this so we can get the issuer cert?

For now we are parsing the issuer directly out of the bundle we receive, if we stay using this method can we count on the issuer cert always being bundled with the server cert? Will the the issuer certificate always be the 2nd cert in the response body?


#2

Yes. This behavior is explicitly documented in the ACME specification:

https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-7.4.2

Yes, the second certificate will always be the intermediate that issued the first end-entity certificate.

But note that some CAs require longer certificate chains, and Let’s Encrypt may do so in the future as well. So client software should not assume there will always only be two certificates in the chain.


#3

Thanks @Patches, is there something we can do to get the “up” link in the response header?


#4

The ACME working group decided to move away from the “up” concept because so many clients were failing to fetch intermediates, or doing so incorrectly. So ACME v2 will not have “up” links. But the data you get from the PEM chain is equivalent. Is there a reason that doesn’t work as well for you?

Thanks,
Jacob


#5

Nope, that will be fine. I just thought getting it from the “up” link was the correct way to do it. Parsing the data from the pem chain works for us.

Thanks!


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.