For historical reasons, we currently hardcode intermediates. I would like to make sure that I don't miss any changes to the chain - can anyone confirm that the “Let's Encrypt Technical Updates” newsletter provides information about changes to the chain and intermediates in particular? If not, what is a reliable channel for this information? Thank you very much!
Andreas
an intermediate can change at any time with or without notification. so hard coded is a pretty bad design decision.
that was the fourth change of the intermediate at let's encrypt.
X1 -> X3 -> R3 -> (R10 or R11) -> (R12 or R13)
you can subscribe to that category to get infos about changes.
the last change was announced a few weeks earlier.
Similar topics with hard coded stuff
Next planned switch will happen to the not yet generated YE1, YE2, YR1, YR2 next year.
4 Likes
For scenarios where you simply must know the intermediates before starting to use a certificate I would suggest:
- renew (order) your certificate early, without deploying it yet.
- identify if your new cert is using an intermediate you haven't seen before
- deploy the intermediates via update channels
- deploy your new certificate
- repeat
You could additionally have any number of "canary" certificates renewing so you can watch for new intermediates. The key thing is not deploying until you can update your trust store.
The best thing to do is make code changes to trust any intermediate issued by a root you already trust, and have a solid method to update that list of trusted roots. If you can make those code changes I'd suggest prioritizing those rather than implementing any workaround.
3 Likes
I'm curious to know these "historical reasons", because IMO there are no good reasons to do so, historical or not.
6 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.