returns a chain of three certificates. The ordered, and two intermediate ("Artificial Apricot R3", "Pretend Pear X1"). In the headers there is a single alternate link header pointing to
(with exactly the same string). Requesting this returns only the ordered certificate and the first intermediate. There is no "Pretend Pear X1" in the returned chain. As far as I understand these two requests should return exactly the same data.
Neither request returns the "Doctored Durian Root CA X3".
BTW It would be nice to have more than one chain available at staging to develop software capable of choosing between available chains.
We are working on making multiple alertnate chains available in Staging in preparation for the multiple alternate chains that will be available in Production. The first step in this was generating and issuing from a new Staging Hierarchy that better resembles Production and has several chain paths. The Staging API should now serve a default chain of EE <-- R3 <-- X1 <-- DST3 (expired) and alternate chain of EE <-- R3 <-- X1 (Our first deploy of the new hierarchy had an incorrect default chain which we fixed to the above).
It's possible you are running into this problem:
You can fetch the STAGING Doctored Durian Root CA X3 from http://stg-dst3.i.lencr.org/
After fixing the default chain to be the long chain, Let's Encrypted tested by issuing certficates with Certbot and verified the long chain like so:
$ openssl verify -issuer_checks -CAfile <( curl -sf http://stg-dst3.i.lencr.org | openssl x509 -inform der -outform pem ) -untrusted /path/to/chain.pem /path/to/cert.pem
/path/to/cert.pem: C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Doctored Durian Root CA X3
error 10 at 3 depth lookup:certificate has expired # Expected Error
OK
So, it seems that at least certbot is getting the correct chain.pem with (STAGING) Pretend Pear X1 signed by (STAGING) Doctored Durian Root CA X3
Nontheless, a variety of Staging chains will be available in the coming days and the API Announcement thread for the Staging Hierarchy will be updated to reflect that. Hopefully, when you get back to working on your client, everything will be fixed and improved for the updates you're doing
The staging environment intermediate certificate ("(STAGING) Artificial Apricot R3") is issued by a root certificate not present in browser/client trust stores. If you wish to modify a test-only client to trust the staging environment for testing purposes you can do so by adding the "(STAGING) Pretend Pear X1" certificate to your testing trust store.
Linked intermediate (thumbprint efc3e66b01d373f32dab9bdc581b59c1860cddc4) is signed by certificate with thumbprint 2534c02f1de94ca582ab6d4fa655e458ab048409 (expiring on 2024-09-30) and not by linked root (thumbprint 66493ba4f36d1731729b1118c7f5e2d540e3f37b, expiring on 2035-06-04).
Hi @griffin, both provided links for primary and alternate Artificial Apricot R3 point to the same certificate file from primary chain. Issue still stands.
There are two different(STAGING) Pretend Pear X1 certificates. Both use the same private key and thus either can be used to authenticate (STAGING) Artificial Apricot R3.
The one signed by (STAGING) Doctored Durian Root CA X3 is this one:
The one you linked (self-signed) is this one:
There are two different(STAGING) Artificial Apricot R3 certificates. Both use the same private key.
The one you linked (signed by (STAGING) Pretend Pear X1) is this one:
The one signed by (STAGING) Doctored Durian Root CA X3 is this one:
