Just issued my first cert(s) with official chain support in certonly mode, and things work great – just had to re-issue three times for finding out how to specify the
--rsa-key-size. Local deployment is manual through some local Makefiles down to creating the proper intermediate and OCSP Stapling chains on my own.
I see that the currently resulting LE output files miss two features:
- The root CA’s pem is missing from the
live/directory where key and all other certs are stored. For a legacy HTTPS server deployment, the root CA is not needed (actually it would be wrong to send it as part of the chain), but for OCSP Stapling it is vital for it to be part of a separate full CA chain file (
ssl_trusted_certificate). Without the file in place, it’s a nice game to search for the actual required root CA certificate. Searched and found this list of LE certificates, but the actual DST root CA is not properly served on this page, neither in this post with similar links. The only thing available is a link to IdenTrust with a very awkward display of their certificate. It’s rediculous to have this link as the only source of the root CA certificate – consider scripting. It’s a shame that IdenTrust makes a game out of it through their silly ‘download’ page instead of supporting a direct download link for the PEM file.
However, it seems as if the certificate was part of every well equipped
/etc/ssl/certs/folder, on my server it can be found as
/etc/ssl/certs/DST_Root_CA_X3.pemwhich comes to no surprise actually, but it’s not great to require this manual investigation.
- The official, main route to the ISRG Root X1 (SHA1 fingerprint
cabd2a79a1076a31f21d253635cb039d4329a5e8) is not offered yet, the respective intermediate cert for the Let’s Encrypt Authority X1 (SHA1 fingerprint
e045a5a959f42780fa5bd7623512af276cf42f20) is missing from the installed
fullchain.pem. I’d have expected that the only missing move before LE signed servers would be served through ISRG Root X1 was the inclusion of the new ISRG Root X1 certificate in the browsers. If the
e045a5…cert would already be part of the chain of every deployed server, all users could automatically authenticate this certificate chain with the new root CA as soon as they update to the browser to the supporting release.
(btw, how does an OCSP Stapling setup look like with cross-signed roots? Would I include both roots in the
ssl_trusted_certificate pem file or just rely on the fallback IdenTrust root?)