Changes in June 2021

Hi :wave:

As I understand it, there are different certificate chains. On the one hand to ISRG Root X1 (Lets Encrypt) and on the other hand to DST Root CA X3 (IdenTrust). The chain to IdenTrust seems important for a high compatibility, because of older clients (very old Android phones as example).

On November 2020, a blog post stated that the second chain would be dropped by default. On December 2020, this statement was revised. The second blog post also states the following:

What happens when the new cross-sign expires? This new cross-sign will expire in early 2024. Prior to that, perhaps as early as June 2021, we will be making a similar change to what we intended to make this January. When we make that change, subscribers will have the option to continue using DST Root CA X3 by configuring their ACME client to specifically request it.

We use Dehydrated as the ACME client. Now I have a few questions about the quote above :slight_smile:

  1. Is the change still planned for June 2021? If so, is there already information about it?
  2. Can I already overwrite the default chain so that this does not affect me in June 2021?

Thanks,
Markus

2 Likes

I highly recommend subscribing to the API announcements here on the forums, as this is the place where you get exactly this kind of information.

The switch to the new long cross signed chain is currently planned for May 4. See the post below.

Theoretically, yes. Practically, it depends. A good acme client usually handles all intermediate certificates automatically, without requiring action from the subscriber. This means both that the transition on May 4 should not interrupt you and it also means that manual configurations/overrides/hacks on the intermediates are not recommended.

Last time I checked, Let's Encrypt currently does not offer the new-long chain in production as an "alternate chain" [alternate chains can be optionally downloaded by your acme client, if configured to do so]. However, they do offer a very similar test chain in their staging enviroment, so you could do test-runs over on staging.

If you really need to, you can theoretically manually download and serve the new long chain "by hand" thus overriding the chain selected by your acme client, as all signatures involved are compatible. This however requires you to fully manually manage your intermediate certificates, which is stronlgy not recommended. Your acme client should manage the chain served by your systems instead.

6 Likes

I highly recommend subscribing to the API announcements here on the forums, as this is the place where you get exactly this kind of information.

Thanks, will do :slight_smile:

This is good news for me! First had the fear it could be the other way around, so that I would have to configure the longer chain consciously from June 2021. But so I can wait easy until the change takes place and can, if necessary, still react until 01.09.2021 (then when the Intermedia expires).

Assuming I have understood everything correctly, my questions are thus answered.

4 Likes

While I also recommend subscribing, I will note that while some updates are in the API Announcements section of the forum, some updates are in the blog, and some updates are in the documentation pages. It sometimes gets a little hard to follow, and I often find myself needing to search all three places in order to find the link I'm looking for to place in a post. Organizing information is hard, and I don't know as I would do any better myself so I hate to complain, but I'm guessing you're not the only one who's been frustrated by trying to find out what the current plan is as updates keep happening.

4 Likes

Peter, this reply is somewhat germane to the project I'm attempting to finish right now, so I'm going to thank you for helping me finish my last assignment for this semester of grad school.

Would you say that the LE staff has been pretty good at letting users know where updates and announcements are supposed to be? Which avenue of information are you likely to check first when it comes to API updates? In your preference, where would you want them to put issuance changes?

1 Like

I don't want to hijack this thread more than I already have; I'll try to put together a more comprehensive separate topic on my thoughts on how information gets distributed, as I do have some examples in mind of some frustrations I've had and have seen others have in finding things. I may not get to it until this weekend, though.

2 Likes

Take your time, then. I'm not in a real hurry.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.