API to stay notified of root cert changes


#1

Hi Team,

Is there an API available to identify when a root certificate is changing? If not, what is the best way to ensure we are notified of a root certificate change.

Thanks!
Grant


#2

As far as I know, no such API exists.

But all API changes are announced here on this forum. I would suggest putting the notification level (the square button with the circle in it, just next to the “New Topic” button) of the API Announcements category on “Watching”. If a new topic is posted, it should send you an e-mail.


#3

Thanks for the quick response, Osiris. I will definitely start watching the API announcements.

What is your recommendation for staying notified of root certificate changes?

-Grant


#4

The ACME protocol includes a feature where you’re given the intermediate certificate that the CA recommends that you use. If Let’s Encrypt decides that the existing intermediate is no longer the most appropriate one to use, the intermediate certificate served via this mechanism will change and clients should receive the new one automatically.

That could happen, for example, if the recommended root changes.

The recommended or expected root is ordinarily the issuer of the highest-level intermediate certificate that the CA offers you via the ACME protocol. So this information is in a sense already always updated automatically.


#5

But I can imagine an administrator wants to know if and when this happens. Especially, if clients will just auto-renew continuously, as recommended by Let’s Encrypt.

Also, not every situation is a default webserver hosted somewhere for “normal” web clients. Perhaps @gdouglas has a very good reason to need to know the exact switch. Perhaps embedded systems or something like that.


#6

Good points, @Osiris.

Currently, you’d be able to find out about root changes by watching the output of

openssl x509 -issuer -in /etc/letsencrypt/live/example.com/chain.pem -noout

for some autorenewed cert on your domain of interest (or substituting the equivalent location of the chain cert saved by some other non-Certbot client application).

If it changes, the recommended root has changed. :slight_smile:


#7

Thanks @schoen and @Osiris!


#8

Hi @Osiris and @schoen,

I have one follow up question. So if watching this output gives us the root of an already provisioned cert, it seems that this would not inform of us of a new Root since it would not be in use by any existing certs.

Are there any other ways of staying notified of a root change?

Thanks!
Grant


#9

As I said, such important things will always be announced on this forum in the said section. I don’t think there really is another way. I don’t think @lestaff will e-mail an announcement on the known registered e-mail addresses used in the certificate issuing process.


#10

Hi @gdouglas,

Whenever you issue a certificate, including issuing a renewal certificate based on an existing one, Let’s Encrypt uses the ACME protocol to send a recommended chain. Certbot, at least, will save the new chain to disk (you’ll find it in the new target of chain.pem). So, a change in the recommended cert will be visible when you perform a renewal.


#11

But only after the root change is already in effect. I think @gdouglas would like to know in advance.


#12

Oh, even in advance of the issuance of individual certificates that are recommended to be chained from that root? In that case there’s no way to do this notification inside the protocol, so I’d agree with watching the API Announcements category here on the forum. You could also watch the Let’s Encrypt home page at https://letsencrypt.org/ or Twitter account at https://twitter.com/letsencrypt, since a change like this is also likely to be mentioned there.


#13

The current chain of trust is listed online: https://letsencrypt.org/certificates/

Couldn’t that just be periodically checked?

It would be even neater if there were a json representation of the page:

e.g. https://letsencrypt.org/certificates/as.json which lists the certificates and links to them.

it could even have a ‘last-updated’ key.

that would be much better than periodically indexing the page and checking it’s md5 sum, which catches changes to text and templates, and often gives me a false positive (as I totally use this method to detect changes myself :wink:


#14

Well, I assume such a desire. @gdouglas hasn’t informed us on his motivations, so we can only guess.

The site is updated manually through GitHub updates and could be lacking behind important updates. I would say API announcements are the most timely notifications.