We’re currently trying to upgrade to v1.2 of https://github.com/go-acme/lego to migrate from ACMEv1 to ACMEv2.
When we try to upload the certificates to AWS ACM, we get an error from trying to upload 2 certificates in the “certificate” field.
I have confirmed that when we request a certificate from Let’s Encrypt we’re receiving 2, where we previously received 1.
Is this a change from ACMEv1 vs ACMEv2? Or is this something related to the library we’re using? Let me know if I can provide more information.
The second certificate is probably the appropriate intermediate certificate. Can you check by copying and pasting it into a file and examining it with a parser like openssl x509?
If I remember correctly, the v1 “download the certificate” API call just gives you the leaf certificate (with the intermediate referenced via a Link header or something); to give people what they usually need in the simplest manner, the standard v2 API returns the leaf certificate and intermediate(s) all at once. You have to parse the output to separate them.
I would have assumed that lego handled this more smoothly…
Thanks for the response! Yeah, it looks like the second certificate is the intermediate certificate. Is the leaf certificate always the first certificate returned?
I thought it would have as well. It’s possible it does in later versions? We’re currently trying to use an earlier version (1.2) to avoid API changes for the moment. But 1.0 was made to handle ACMEv2 so I’m surprised this is an issue.
In order to provide easy interoperation with TLS, the first certificate MUST be an end-entity certificate. Each following certificate SHOULD directly certify the one preceding it.
