Edit: Ping @jsha or @cpu? Half dozen+ people with incomplete chains are suddenly reporting issues at the same time. @jmorahan has the theory that http://cert.int-x3.letsencrypt.org/ redirecting to HTTPS is breaking AIA chasing on major platforms like iOS Chrome because maybe they only support chasing over HTTP. I think he’s probably right.
I like your theory better than mine, and I think you might be right.
Disclaimer: I don’t know Chrome’s code base AT ALL, and maybe it uses a different library on iOS or something. I just went searching for keywords. That said…
// Policy for which URLs are allowed to be fetched. This is called both for the
// initial URL and for each redirect. Returns OK on success or a net error
// code on failure.
Error CanFetchUrl(const GURL& url) {
if (!url.SchemeIs("http"))
return ERR_DISALLOWED_URL_SCHEME;
return OK;
}
That sounds pretty clear…