Permanent link to "current" issuer certificate?

jobisoft · April 12, 2016, 4:24pm

I am not using the letsencrypt client to get/renew LE certificates, but some self written scripts. I did not catch the update of the intermediate issuer certificate from X1 to X3, because I hardcoded X1 and needed to update to X3 by hand.

Would it be possible, to provide a permanent llink to the “current” intermediate issuer certificate and post that on “https://letsencrypt.org/certificates/”, so I will always get the right certificate if my scripts download it from there?

Thanks!

pfg · April 12, 2016, 4:40pm

Right now, that URL would be https://acme-v01.api.letsencrypt.org/acme/issuer-cert.

In the future, Let’s Encrypt will use multiple issuer certificates (e.g. for the upcoming ECDSA issuer certificate). This URL is not guaranteed to stay the same.

The correct implementation would be to parse the Link: <url>;rel="up" header the new-cert or cert ACME resource returns, i.e.:

curl -i https://acme-v01.api.letsencrypt.org/acme/cert/{serial}
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/pkix-cert
Content-Length: 1317
Link: </acme/issuer-cert>;rel="up"

jobisoft · April 12, 2016, 8:15pm

Thanks for that information. I tried to run the curl cmd, but got “mailformed” error:

https://acme-v01.api.letsencrypt.org/acme/cert/03:55:15:bb:26:2b:e1:de:ed:b7:f1:13:4b:4f:ae:85:c6:ab

This is the serial from within the cert:

Data:
Version: 3 (0x2)
Serial Number:
03:55:15:bb:26:2b:e1:de:ed:b7:f1:13:4b:4f:ae:85:c6:ab
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
Validity
Not Before: Apr 12 14:36:00 2016 GMT
Not After : Jul 11 14:36:00 2016 GMT

What am I doing wrong?

Thanks for your time!

pfg · April 12, 2016, 8:59pm

Try the serial number without colons, i.e.:
https://acme-v01.api.letsencrypt.org/acme/cert/035515bb262be1deedb7f1134b4fae85c6ab

jobisoft · April 12, 2016, 10:15pm

Works. Thanks!

However, I always get “/acme/issuer-cert” (which is now X3). Even for my old certificates, which where signed by X1.

Since I am now asking the letsencrypt database, I think it should return the actual intermediate certificate (so X1 or X3) for the certificate with the given serial. Or am I missing something?

pfg · April 12, 2016, 10:36pm

Yep, that’s a bug, see:

dasa123 · July 4, 2017, 12:25am

Here is the code I am using in order to get the intermediate certificate:

curl -s $(curl -s -D - https://acme-v01.api.letsencrypt.org/acme/cert/$(openssl x509 -in $PATH_TO_YOUR_ISSUED_CERT -serial -noout | awk -F'=' '{print $2}') -o /dev/null | grep '^[[:space:]]*Link:' | awk -F'<' '{print $2}' | awk -F'>' '{print $1}') | openssl x509 -inform der -outform pem -out /tmp/intermediate.pem