Ready to test shortest ECDSA only ISRG Root X2

saudiqbal · June 6, 2024, 3:07pm

Reinstalled acme.sh and ready to test the new short chain on a fresh new account. I will test in a couple of hours.

griffin · June 6, 2024, 3:08pm

Keep in mind the chain service changes that will be happening today.

saudiqbal · June 6, 2024, 3:25pm

Yes, like I said I will be testing the shortest X2 chain without being on the allow list. I deleted the account folder and requesting a new shortest chain certificate using acme.sh --issue ... --preferred-chain "ISRG Root X2" --keylength ec-256

aarongable · June 6, 2024, 4:25pm

Sweet, let us know how it goes! We'll be posting in the announcement thread as soon as the new intermediates and chains are live.

saudiqbal · June 6, 2024, 6:03pm

Is it ready to request from X2 only chain?

Osiris · June 6, 2024, 6:08pm

Have you seen an announcement thread yet? No? Then it's not yet ready.

petercooperjr · June 6, 2024, 6:10pm

Well, it was just announced, and it looks like E5 is issuing now (and E6 too, of course).

Nummer378 · June 6, 2024, 6:14pm

‎‎‎‎‎‎

Osiris · June 6, 2024, 6:17pm

Crap, I should have made a for loop issuing certs until one came back with E5 or E6 as issuer so I could have said "FIRST!"

Anyway, no announcement yet, but surely it'll come soon

saudiqbal · June 6, 2024, 6:18pm

Looks like I have X2 - E5 - leaf certificate.

aarongable · June 6, 2024, 6:21pm

Our Root X2 test websites (e.g. valid-isrgrootx2.letsencrypt.org) are also now serving the EE <- E5/6 <- X2 chain.

Osiris · June 6, 2024, 6:22pm

Congrats. 50 % chance! (Probably.)

jkauffman · June 6, 2024, 6:32pm

Have you stopped using the IRSG Domain Validated OID (1.3.6.1.4.1.44947.1.1.1) in the Certificate Policies extension for the intermediate certs? This used to be set on the R3 intermediate. In a previous discussion I understood that this certificate policy would not be set on the requested certificates, but it would always be set on at least one CA in the chain.

Nummer378 · June 6, 2024, 6:39pm

This was announced back in Dec 2023 that the new intermediates would not contain additional policy OIDs (Let's Encrypt New Intermediate Certificates).

saudiqbal · June 6, 2024, 6:39pm

Everything is working fine now, got the shortest ECDSA chain from X2.

Thanks for everything.

jkauffman · June 6, 2024, 6:41pm

OK, thanks, I must have missed that one.

saudiqbal · June 6, 2024, 6:45pm

It is crt.sh | saudiqbal.com

saudiqbal · June 6, 2024, 8:52pm

Forgot to mention that thanks for supporting IPv6 only DNS servers for validating dns-01 challenge.

system · July 6, 2024, 8:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How do I get the shortest ISRG Root X2 ECDSA chain now Help	31	1863	September 12, 2023
Shortening the Let's Encrypt Chain of Trust API Announcements	9	8744	September 30, 2024
I can't get the ISRG Root X2 certificate now Help	9	2567	May 5, 2023
ECDSA returning X1 rather than X2 chain? Issuance Tech	8	722	August 12, 2022
Questions regarding "Shortening the Let's Encrypt Chain of Trust" Help	92	6923	June 10, 2024

Ready to test shortest ECDSA only ISRG Root X2

Related topics