How to request the longer chain after 08/02/2024?

We provide a service that orders certificates from LE via ACME client.
A user could set preferred chain parameter if he needed the shorter chain (ended with ISRG Root X1).
From 08/02/2024 the default chain will be changed to the shorter one.
Can our users use preferred chain = DST Root CA X3 to continue getting the long chain?
Thanks

1 Like

Have you seen this announcement and its related Blog post? I think it should answer your question

6 Likes

As the long chain will be unavailable from June I would suggest either committing to the short chain and accepting the compatibility constraints of that, or change CA, rather than just deferring the problem for a few more months.

1 Like

I saw this announcment, and that's why I asked my question.

You have the option of doing some manual configuration of your ACME client to gain six extra months of compatibility for older Android devices visiting your sites.

Does this mean to use preferred chain = DST Root CA X3 ?

I wrote that we provide a service that orders certificates from LE
We don't use certificates, we order them for our customers.
I don't know what the use cases of our multiple customers are.
My question is about our customers that need the longer chain for the next months in some case.

It depends if your acme client supports that. Which one are you using?

4 Likes

We support this parameter.
Till now, a part of our customers used this parameter to get the shorter chain.

My question was, can this parameter be used to get the longer chain after 08/02/2024?

And, the answer is in the announcement and Blog I linked to earlier. I don't know how else to answer your question. Without knowing your ACME client or how it works we can't say exactly if or how it works. But, yes, it will be possible to get the longer chain from Feb8 until Jun6

Below is from the Blog linked in my post #2

The transition will roll out as follows:

On Thursday, Feb 8th, 2024, we will stop providing the cross-sign by default in requests made to our /acme/certificate API endpoint. For most Subscribers, this means that your ACME client will configure a chain which terminates at ISRG Root X1, and your webserver will begin providing this shorter chain in all TLS handshakes. The longer chain, terminating at the soon-to-expire cross-sign, will still be available as an alternate chain which you can configure your client to request.

On Thursday, June 6th, 2024, we will stop providing the longer cross-signed chain entirely. This is just over 90 days (the lifetime of one certificate) before the cross-sign expires, and we need to make sure subscribers have had at least one full issuance cycle to migrate off of the cross-signed chain.

On Monday, September 30th, 2024, the cross-signed certificate will expire. This should be a non-event for most people, as any client breakages should have occurred over the preceding six months.

5 Likes

Thank you

2 Likes

Here is a technical explanation:

After an ACME client finalizes an order, the certificate is available on the Certificate URL.

On 2/8/2024, the Certificate available on that URL will switch from the Long Chain to the Short Chain.

Alternate certificates may be available as Links on the headers of that URL. LetsEncrypt plans to offer the Long Chain until 6/6/2024 via this mechanism.

ACME Clients support downloading the alternate chain in different ways, if at all. Some require a parameter on the command line, others are driven by a configuration setting, others do not support it at all. The command line argument that works on one version of one client may not work on other clients or differing versions of that same client.

5 Likes

Thank you for your answer.
We use Lego ACME client.
As I wrote our users CAN use parameter preferred_chain, it works for those who want the shorter chain now.
Will the same parameter work to get the longer chain after 08/02/2024?
preferred_chain = DST Root CA X3

1 Like

Yes, it should, until Thursday, June 6th, 2024, as explained in the blog mentioned in the first reply to your thread and explicitely quoted in @MikeMcQ s post 18 hours ago.

1 Like

Thank you for finally sharing the name of your client, on the 6th posting after two days.

Identifying the client was on the list of questions you failed to respond to in your initial posting, and that information had been asked and ignored.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.