ECDSA Intermediate and Feb 8th Root Change

My account is opted in to the ECDSA Intermediate allow list. On this account, I noticed my RSA certificates issued after Feb 8th (including today) still include the old "long" certificate chain.

I was wondering if this was a client bug so I created a new account (which of course would not be opted in to the ECDSA intermediate allow list) and issued a test certificate. That certificate chain is defaulting to the correct "short" one.

Was the config change perhaps overlooked for accounts on the ECDSA intermediate allow list?

My domain is: greg2710dw.greg.gtw86.com (used test007.test.gtw86.com on the new test account)

I ran this command: N/A

It produced this output: N/A

My web server is (include version): N/A

The operating system my web server runs on is (include version): N/A

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): N/A

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): LeGo CertHub v0.19.0

I don’t know of any reason offhand that the ECDSA allowlist would matter: that’s just a check for which intermediate to use. The chains to serve aren’t tied to that at all. But it’s always possible there’s something going on I don’t know about.

If I had to guess, it’s more likely something the client is doing.

I will take a bit of a look to see if I can explain the behaviour you’re seeing.

Thanks for weighing in. I’ll play with it some more tomorrow. I actually wrote the client and didn’t implement an option to even use alternate chains yet. I had it on my (maybe) to do list.

edit: Everything seems sane today. Perhaps I was just half asleep last night.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.