Incomplete alternate certificate chains at staging area

Hi,

I am working to implement download of alternate chains in acme-tiny. At the moment I am working at the staging area. The first download from

https://acme-staging-v02.api.letsencrypt.org/acme/cert/<hash-id>

returns a chain of three certificates. The ordered, and two intermediate ("Artificial Apricot R3", "Pretend Pear X1"). In the headers there is a single alternate link header pointing to

https://acme-staging-v02.api.letsencrypt.org/acme/cert/<hash-id>/1

(with exactly the same string). Requesting this returns only the ordered certificate and the first intermediate. There is no "Pretend Pear X1" in the returned chain. As far as I understand these two requests should return exactly the same data.

Neither request returns the "Doctored Durian Root CA X3".

BTW It would be nice to have more than one chain available at staging to develop software capable of choosing between available chains.

Kind regards,
s

2 Likes

We are working on making multiple alertnate chains available in Staging in preparation for the multiple alternate chains that will be available in Production. The first step in this was generating and issuing from a new Staging Hierarchy that better resembles Production and has several chain paths. The Staging API should now serve a default chain of EE <-- R3 <-- X1 <-- DST3 (expired) and alternate chain of EE <-- R3 <-- X1 (Our first deploy of the new hierarchy had an incorrect default chain which we fixed to the above).

It's possible you are running into this problem:

You can fetch the STAGING Doctored Durian Root CA X3 from http://stg-dst3.i.lencr.org/

3 Likes

The Staging API should now serve a default chain of EE <-- R3 <-- X1 <-- DST3 (expired) and alternate chain of EE <-- R3 <-- X1

I am afraid that at this very moment only the latter chain is available. And if requested via /1 url X1 is not sent to a client.

Anyway, thanks for a swift reply. Since this is my hobby project, I'll leave it till the next weekend. Hopefully this will boost my productivity (;

2 Likes

After fixing the default chain to be the long chain, Let's Encrypted tested by issuing certficates with Certbot and verified the long chain like so:

$ openssl verify -issuer_checks -CAfile <( curl -sf http://stg-dst3.i.lencr.org | openssl x509 -inform der -outform pem ) -untrusted /path/to/chain.pem /path/to/cert.pem

/path/to/cert.pem: C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Doctored Durian Root CA X3
error 10 at 3 depth lookup:certificate has expired # Expected Error
OK

So, it seems that at least certbot is getting the correct chain.pem with (STAGING) Pretend Pear X1 signed by (STAGING) Doctored Durian Root CA X3

Nontheless, a variety of Staging chains will be available in the coming days and the API Announcement thread for the Staging Hierarchy will be updated to reflect that. Hopefully, when you get back to working on your client, everything will be fixed and improved for the updates you're doing :slightly_smiling_face:

3 Likes

If was this problem, it should be resolved now. Stay tuned for more changes to the Staging environment including multiple alternate chains.

1 Like

Any updates on alternative chains?

Also docs are not consistent regarding staging chain Staging Environment - Let's Encrypt - Free SSL/TLS Certificates

The staging environment intermediate certificate ("(STAGING) Artificial Apricot R3") is issued by a root certificate not present in browser/client trust stores. If you wish to modify a test-only client to trust the staging environment for testing purposes you can do so by adding the "(STAGING) Pretend Pear X1" certificate to your testing trust store.

Linked intermediate (thumbprint efc3e66b01d373f32dab9bdc581b59c1860cddc4) is signed by certificate with thumbprint 2534c02f1de94ca582ab6d4fa655e458ab048409 (expiring on 2024-09-30) and not by linked root (thumbprint 66493ba4f36d1731729b1118c7f5e2d540e3f37b, expiring on 2035-06-04).

1 Like

For the staging environment...

This was the primary chain of issuance:

This is the primary chain of issuance:

This was and is the alternate chain of issuance:

1 Like

Hi @griffin, both provided links for primary and alternate Artificial Apricot R3 point to the same certificate file from primary chain. Issue still stands.

1 Like

There are two different (STAGING) Pretend Pear X1 certificates. Both use the same private key and thus either can be used to authenticate (STAGING) Artificial Apricot R3.

The one signed by (STAGING) Doctored Durian Root CA X3 is this one:

The one you linked (self-signed) is this one:


There are two different (STAGING) Artificial Apricot R3 certificates. Both use the same private key.

The one you linked (signed by (STAGING) Pretend Pear X1) is this one:

The one signed by (STAGING) Doctored Durian Root CA X3 is this one:

https://letsencrypt.org/certs/staging/letsencrypt-stg-int-r3-cross-signed.pem

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.