After moving to the v2 API we have noticed that we are not receiving the “up” link in the header from the response. Is there something we can include in our request to get this so we can get the issuer cert?
For now we are parsing the issuer directly out of the bundle we receive, if we stay using this method can we count on the issuer cert always being bundled with the server cert? Will the the issuer certificate always be the 2nd cert in the response body?
Yes, the second certificate will always be the intermediate that issued the first end-entity certificate.
But note that some CAs require longer certificate chains, and Let’s Encrypt may do so in the future as well. So client software should not assume there will always only be two certificates in the chain.
The ACME working group decided to move away from the “up” concept because so many clients were failing to fetch intermediates, or doing so incorrectly. So ACME v2 will not have “up” links. But the data you get from the PEM chain is equivalent. Is there a reason that doesn’t work as well for you?