Ah, that's a Windows client.. I don't have any experience with it, but I assume it fetches the intermediate properly.
@Osiris It does. When it fetches a cert, it gives me the following:
fullchain.* contains everything I need to bind the proper intermediate at time of download instead of hard coding one.
Just to note, POSH is a Powershell client - not necessarily Windows. Powershell can run on Linux too - as it does in my case. The reason I'm using POSH instead of Certbot is because my DNS is in Azure DNS and Certbot doesn't (or didn't when I started automating our certs) support Azure DNS
Yes, Posh-ACME uses the the default ACME offered chain to build the
fullchain.* files unless you've used the
-PreferredChain param to specify a different one for that order. It also locally caches all offered chains in those
chainX.cer files which allows you to switch which chain you're using without needing to get a new cert. I should really write a wiki guide around that functionality.
Ah, did not know that
PowerShell is awesome and cross-platform (Win, Linux, MacOS) since version 6 which released January 2018. And Posh-ACME works everywhere PowerShell works!
It seems to be lacking from my Gentoos repository. I'm not that disappointed, as I'll probably won't like it, as I'm not a big fan how Microsoft deals with things in general
It sounds like you haven't been paying attention to how Microsoft deals with things in the past 15 years or so, basically since Balmer left and was replaced by Satya Nadella. Tons of open source stuff, both releasing software open source and contributing to existing projects. Their entire developer ecosystem is basically open source on Github now taking pull requests and other contributions from everyday folks. Tons of Linux integration including the ability to run Linux natively on top of Windows. Keep an open mind, friend.
I don't blame you. Powershell is really nice for things inside the Microsoft ecosystem. I also find it easier to write than bash / python, but that could easily be because I know Powershell better. My environment was 90+% windows for a long time. Now it's more 50/50 (5000+ server), so cross platform really goes a long way. However - Powershell certainly has it's challenges. Given the choice, I'll write C# all day over Powershell.
I've just tried to issue LE certificate on staging and it still has a short chain. When can we test it with a long chain? Febrary is coming
And the second question is about alternate chain. We've implemented its support in our ACME client (Plesk Let's encrypt extension) but now it seems unnecessary.
So can we remove this code or there are some plans to use it in future?
As far as I know, an alternate chain will be offered: the "short" version. But correct me if I'm wrong.
Besides, offering an alternative chain is a capability of the ACME protocol as defined in RFC 8555: why would you remove such a feature if you already developed it? Who knows what happens in the future or with other ACME using CAs..
why would you remove such a feature if you already developed it?
because it costs something in testing & maintenance, but i'm agree with you that it could be useful. And may be some of our clients would like to use this alternate "short" chain.
So i think that second question is solved
staging server https://acme-staging-v02.api.letsencrypt.org/directory provides chain with 1 intermediate certificate
we will have chain with 2 intermediate certificates.
Do you have plans to implement issuing chains of fake certificates with same lenght on staging server?
See the first reply in this same thread:
Hi @aarongable ! Any estimation when longer chain will be available on Staging?
Welcome, Yulia! The answer is "Soon™"
Where by "Soon™" I meant "Today"
While I understand not wanting to commit to specific dates (especially when the point of staging is to let you do testing), it may be helpful to those that do regular (including automated) testing against staging to give them a bit more of a heads-up with these kinds of changes.
Yep, this is a completely reasonable stance, but see my reply on this topic here:
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.