Use shorter alternative chain better for letsencrypt API itself

orangepizza · September 22, 2021, 4:00pm

currently LE api endpoints are serve the default chain (leaf-R3-ISRG(crosssign)-DST)

openssl s_client -connect acme-v02.api.letsencrypt.org:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = acme-v01.api.letsencrypt.org
verify return:1
---
Certificate chain
 0 s:CN = acme-v01.api.letsencrypt.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

while we made long chain by default for support older android in expense of older openssl clients, but as acme-v02.api.letsencrypt.org is not for human and it's pretty sure it will see more openssl <1.0.2 client (like centos 7) then people view it on their old android phone, so the are better serve short chain (without cross-sign)

petercooperjr · September 22, 2021, 4:12pm

They've said that's the plan.

But they haven't (that I've seen) established a timeline for it. (Though I did ask here a while back about it.)

orangepizza · September 22, 2021, 4:29pm

isn't tomorrow's maintenance is last one before DST x3 expiration? next Thursday will be Sep 30 22:00 UTC so it'll be already expired for 12 hours
(now sure how much 12 hour delay would actually matter)

petercooperjr · September 30, 2021, 2:09pm

Looks like they've made the switch yesterday.

system · October 31, 2021, 2:21am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.