Fetch root cert from ACME


#1

Hi,

Currently, only the intermediary chain can be retrieved from ACME protocol (via /acme/issuer-cert), without the root LE cert.
On production, you can hardcode the root cert (via https://letsencrypt.org/certs/isrgrootx1.pem) on your automation tool, but on pre-prod (staging LE) or internal dev (custom boulder CA), it’s difficult to handle correctly the root selection.

Root is needed for cert pinning/HPHP or DANE/TLSA, even more in the case of private key renewal each 90d (very risky/error-prone to pin the key, you need to pin an intermediary (with trouble if changed) or better the root cert).

Why not include a /acme/root-cert/ on ACME protocol ?


#2

If you want to use HPKP, I’d suggest using the same key again or setting the max-age to 90 days, so you don’t run issues locking users out.

You can parse the intermediate certificate and use the AIA URL to fetch the root certificate.


#3

Don’t do this with key renew 60d or 90d.
HPKP doesnt support key change from last change to last change + max age. See here.
Having 90d max-age with 60d key renew is a non sense (risk of HPKP break for clients).
Having 90d max-age with 90d key renew put you vulnerable all the time (no way to renew the key before 90d after the last renew, key renew each 90d).
To have HPKP working correctly, you need key renewal >>> max-age (for example max-age 90d with key renew 1y = protected 75% of the time, and 98% with 10y key renew).
The best with HPKP is to have stable key ’til compromission or weakness.

For prod, AIA point to IdentTrust (http://apps.identrust.com/roots/dstrootcax3.p7c), no way to fetch the root LE cert (https://letsencrypt.org/certs/isrgrootx1.pem).
For staging, AIA is wrong (http://cert.stg-int-x1.letsencrypt.org/ is the intermediate, not root).
For custom boulder (at least out-of-the-box, perhaps possible to change this), AIA is IdentTrust too.


#4

LE root isn’t used currently anyway. We don’t even have X3 and X4 signed by the ISRG root yet.

Then that’s a bug which should be reported.

Same here. Shouldn’t point to IdenTrust.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.