Use shorter alternative chain better for letsencrypt API itself

currently LE api endpoints are serve the default chain (leaf-R3-ISRG(crosssign)-DST)

openssl s_client -connect acme-v02.api.letsencrypt.org:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = acme-v01.api.letsencrypt.org
verify return:1
---
Certificate chain
 0 s:CN = acme-v01.api.letsencrypt.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

while we made long chain by default for support older android in expense of older openssl clients, but as acme-v02.api.letsencrypt.org is not for human and it's pretty sure it will see more openssl <1.0.2 client (like centos 7) then people view it on their old android phone, so the are better serve short chain (without cross-sign)

They've said that's the plan.

But they haven't (that I've seen) established a timeline for it. (Though I did ask here a while back about it.)

isn't tomorrow's maintenance is last one before DST x3 expiration? next Thursday will be Sep 30 22:00 UTC so it'll be already expired for 12 hours
(now sure how much 12 hour delay would actually matter)

Looks like they've made the switch yesterday.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.