Acme4j still getting old production chain


Recently a new chain was rolled out by default

I am using acme4j and I noticed I am still getting the old chain for the certificate I generate.
End-entity certificate ← R3 ← DST Root CA X3

Is there a parameter I should pass to opt-in the new default chain?
Am I missing some other detail?



Can you be specific about where you see the old chain? Specifically in some response it's getting back from the ACME API? Web browsers build their own trust relationships from whatever data they know, so you need to look at specifically what a server is sending (through Openssl or SSL Labs or the like) to see what chain it is actually sending. Going to a website and looking at what chain the web browser shows for it only shows what the web browser might have done to validate that it was legitimate, not other possible chains that were also valid.

I'm not really familiar with acme4j specifically, but it should just be receiving a longer chain now but I don't know what that means for what it does with it. Looking at Certificates - acme4j and Certificate (acme4j Client 2.11 API) it looks like cert.getCertificateChain(); should return a list of 3 certificates rather than just a list of 2. Is that not what you see?


I added some logs and then I noticed that actually, the rate of receiving old chain went down.
Eventually, as of 24 hours ago I see that all certificates are of the new chain.
Indeed cert.getCertificateChain() is returning a list of 3 chains.


I'm glad you were able to get your issue sorted out. Welcome to our community!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.