I am not using the letsencrypt client to get/renew LE certificates, but some self written scripts. I did not catch the update of the intermediate issuer certificate from X1 to X3, because I hardcoded X1 and needed to update to X3 by hand.
Would it be possible, to provide a permanent llink to the “current” intermediate issuer certificate and post that on “https://letsencrypt.org/certificates/”, so I will always get the right certificate if my scripts download it from there?
Right now, that URL would be https://acme-v01.api.letsencrypt.org/acme/issuer-cert.
In the future, Let’s Encrypt will use multiple issuer certificates (e.g. for the upcoming ECDSA issuer certificate). This URL is not guaranteed to stay the same.
The correct implementation would be to parse the Link: <url>;rel="up" header the new-cert or cert ACME resource returns, i.e.:
However, I always get “/acme/issuer-cert” (which is now X3). Even for my old certificates, which where signed by X1.
Since I am now asking the letsencrypt database, I think it should return the actual intermediate certificate (so X1 or X3) for the certificate with the given serial. Or am I missing something?