Request for Official Ongoingly-Updated Issuance Chain Topic

@lestaff

For the sanity of us all, it would be really nice to have a topic maintained by the Let's Encrypt staff that only explicitly indicates the current issuance chains for all intermediate certificates. This would consolidate the state of affairs in one place. It could also/instead be on the Chain of Trust page (though I feel that might make things more confusing given the structure and implications of meaning/timing conveyed by that page).

Hi Griffin,

Out of curiosity, what isn't on the page on the website that you would like to see? From my standpoint it would be really nice to have one place to update but if there is a need to go deeper somewhere and we don't want it to be the page on the website, happy to entertain that!

Best,
JP

Good to hear from you @jple. Hope you're having a lovely Friday.

The page indicates upcoming information and doesn't explicitly state the current primary chain and alternate chain issuance paths.

I'd like a topic I can simply tag that gives the current operations of Boulder.

Something like:

Primary RSA Chain

• leaf
• R3
• DST Root CA X3

Alternate RSA Chain

• leaf
• R3
• ISRG Root X1

etc.

I believe you can get this from the API, which IMO is the best and most up-to-date place to get it. Would it be helpful if we put, toward the top of that Chain of Trust page, the way to find it there?

Again, not trying to shoot down ideas, just trying to figure out a way to get the best and most accurate information out to our community without having to manually update things!!

How would one, out of curiosity, get the chain info from the API without actually issuing a certificate?

Also, it's possible to ask the API for different chains when requesting a certificate. If you don't know which chains are possible, you don't know which chain to request to begin with.

I think what we need (whether on the forum or in the docs or something) is the clear timeline of when what is changing. With ECDSA issuance, DST Root's expiration, and alternate chains, it's gotten a little hard to follow. Something like the following (hoping I got it right):

Through May 3

For RSA and almost all EDCSA leaf certificates:

• Default chain: Leaf ← R3 ← DST Root CA X3
• Alternate chain: Leaf ← R3 ← ISRG Root X1

For ECDSA leaf certificates from accounts participating in the limited-availability testing:

• Default chain: Leaf ← E1 ← ISRG Root X2 ← ISRG Root X1
• No alternate chain is available.

Starting May 4

See for more details on this change:

For RSA and almost all EDCSA leaf certificates:

• Default chain: Leaf ← R3 ← ISRG Root X1 ← DST Root CA X3
• Alternate chain: Leaf ← R3 ← ISRG Root X1

For ECDSA leaf certificates from accounts participating in the limited-availability testing:

• Default chain: Leaf ← E1 ← ISRG Root X2 ← ISRG Root X1
• No alternate chain is available.

At some future point not yet decided:

This change is currently only in staging. No release date for production is yet available.

For information on testing this change in staging:

For RSA leaf certificates:

• Default chain: Leaf ← R3 ← ISRG Root X1 ← DST Root CA X3
• Alternate chain: Leaf ← R3 ← ISRG Root X1

For all ECDSA leaf certificates

• Default chain: Leaf ← E1 ← ISRG Root X2 ← ISRG Root X1
• No alternate chain is available.

I agree that manual updates aren't fun (and are error-prone). Honestly, anywhere that we can put a URL to information that the average help-seeker can comprehend is fine. Obviously, it being searchable via search engines is immensely helpful.

Exactly my thoughts.

That's a great extension of what I'm asking for (though it might require commitments that might make things difficult).

I thought there was a way but I'm on the comms team, so checking. Sorry!! Will figure out if there's a call we can make.

If not I definitely want to have one point of truth and could go either direction of it being the website or the community forum. Let me do some thinking on it before I am like "yes we should absolutely do this," can I think about it over the weekend?

I think we definitely need something that says the chains and what is changing when in simple form like what @petercooperjr suggested.

Let me figure out the hairy comms between the website and forum over the weekend and I'll present something y'alls way next week. I know we are crunched on time since changes are coming soon.

Thanks for the feedback!

You are spot on. I don't want to use a to help people.

As far as I know, there's no such feature in Boulder. (At least I don't know it and a quick Google search didn't find it.)

It would be really great if one could just query, for example, https://acme-v02.api.letsencrypt.org/acme/chains which would output a JSON object with the possible chain options and a tag for the default one.

Agreed. Regardless, knowing what chains are coming up and when is helpful too. And having one source of truth for that.

@jple

We'll give ya the time, of course.

This thread might extend to the giant's castle in the sky by then.

True, having upcoming chains documented somewhere on a central page would be great too!

One problem I think is that what we're looking for is really the combination of the Chain of Trust (showing all the intermediates and roots) and the API Announcements forum (showing what upcoming changes are). Perhaps the Chain of Trust page needs more info on what the upcoming changes are, and what the alternate chains are?

In terms of an API to find the chains that are available, I think that's the machine-readable view of the Chain of Trust page that's been proposed.

Even that, though, may not easily cover "what changes are coming" and "what's in staging so I can test"?

Preferably in easy to understand graphs!

All I ask is that it be up to date and easily linkable and digestible for reference when helping people.

I thought y'all might appreciate this, the few folks who have written back go directly to the ACME client page for help: https://twitter.com/letsencrypt/status/1385650678014611456?s=19

Which makes a lot of sense! But also adds another whole complexity to this conversation. What's the best way to make sure our ACME client creators know about changes and update their documentation? (Not a rhetorical question, genuinely wondering where you as creators look for information on changes)

By posting it in an obvious, official place, IMO. You all are the veritable "horse's mouth".