Questions re: Extending Android Device Compatibility

@Osiris It does. When it fetches a cert, it gives me the following:

cert.cer
cert.key
cert.pfx
chain0.cer
chain1.cer
chain.cer
fullchain.cer
fullchain.pfx
order.json
request.csr

fullchain.* contains everything I need to bind the proper intermediate at time of download instead of hard coding one.

2 Likes

Just to note, POSH is a Powershell client - not necessarily Windows. Powershell can run on Linux too - as it does in my case. The reason I'm using POSH instead of Certbot is because my DNS is in Azure DNS and Certbot doesn't (or didn't when I started automating our certs) support Azure DNS

3 Likes

Yes, Posh-ACME uses the the default ACME offered chain to build the fullchain.* files unless you've used the -PreferredChain param to specify a different one for that order. It also locally caches all offered chains in those chainX.cer files which allows you to switch which chain you're using without needing to get a new cert. I should really write a wiki guide around that functionality.

4 Likes

Ah, did not know that :slight_smile:

2 Likes

PowerShell is awesome and cross-platform (Win, Linux, MacOS) since version 6 which released January 2018. :grin: And Posh-ACME works everywhere PowerShell works!

3 Likes

It seems to be lacking from my Gentoos repository. I'm not that disappointed, as I'll probably won't like it, as I'm not a big fan how Microsoft deals with things in general :wink:

1 Like

It sounds like you haven't been paying attention to how Microsoft deals with things in the past 15 years or so, basically since Balmer left and was replaced by Satya Nadella. Tons of open source stuff, both releasing software open source and contributing to existing projects. Their entire developer ecosystem is basically open source on Github now taking pull requests and other contributions from everyday folks. Tons of Linux integration including the ability to run Linux natively on top of Windows. Keep an open mind, friend. :grinning:

2 Likes

I don't blame you. Powershell is really nice for things inside the Microsoft ecosystem. I also find it easier to write than bash / python, but that could easily be because I know Powershell better. My environment was 90+% windows for a long time. Now it's more 50/50 (5000+ server), so cross platform really goes a long way. However - Powershell certainly has it's challenges. Given the choice, I'll write C# all day over Powershell.

2 Likes

Hello.

@aarongable

I've just tried to issue LE certificate on staging and it still has a short chain. When can we test it with a long chain? Febrary is coming :slight_smile:

And the second question is about alternate chain. We've implemented its support in our ACME client (Plesk Let's encrypt extension) but now it seems unnecessary.
So can we remove this code or there are some plans to use it in future?

1 Like

As far as I know, an alternate chain will be offered: the "short" version. But correct me if I'm wrong.

Besides, offering an alternative chain is a capability of the ACME protocol as defined in RFC 8555: why would you remove such a feature if you already developed it? Who knows what happens in the future or with other ACME using CAs..

4 Likes

@Osiris
why would you remove such a feature if you already developed it?

because it costs something in testing & maintenance, but i'm agree with you that it could be useful. And may be some of our clients would like to use this alternate "short" chain.
So i think that second question is solved :slight_smile:

3 Likes

@aarongable,

staging server https://acme-staging-v02.api.letsencrypt.org/directory provides chain with 1 intermediate certificate
According https://letsencrypt.org/2020/12/21/extending-android-compatibility.html
we will have chain with 2 intermediate certificates.

Do you have plans to implement issuing chains of fake certificates with same lenght on staging server?

2 Likes

See the first reply in this same thread:

2 Likes