Feature request: Auto-download intermediates
dbrgn opened this issue · 5 comments
Dehydrated automatically fetches intermediate certificates by walking up the chain:
From this, a fullchain.pem is generated for every issued certificate.
Could something like this be implemented for acmed as well, maybe as a default hook?
What I'm using right now:
[[hook]]
name = "build-fullchain"
type = ["file-post-create", "file-post-edit"]
cmd = "cat"
args = ["{{file_path}}", "/etc/acmed/cert.int-x3.letsencrypt.org.pem"]
stdout = "{{file_directory}}/{{file_name}}.chain.pem"
...however, the intermediate is static.
Downloading the full certificate chain is already the default behavior, you don't need to manually include any intermediate certificate. In RFC 8555, this is specified in section 7.4.2 and section 9.1. However, you are right to bring this topic since I forgot to explicitly set the Accept HTTP header to application/pem-certificate-chain. But please note that it will not be fixed quickly since I am currently doing a quite heavy refactoring of both the HTTP and the threads parts in order to remove the nasty coupling between these two.
I don't know much about Dehydrated's internals, but I really would like to hear more about the rationale behind this walk_chain function.
Ah, you are right, appending the intermediate does not seem to be necessary 🙂 I just assumed it was because Dehydrated creates these files.
It might be required in cases where the server does not automatically return the proper certificate chain, but in the case of Nginx that seems to be handled automatically.
It might be required in cases where the server does not automatically return the proper certificate chain, but in the case of Nginx that seems to be handled automatically.
That would be an issue with the server, not the client. For "exotic" cases, I think a solution based on hook like you did is the way to go.
After a long and motivation-less refactoring work, the missing Accept HTTP header with the application/pem-certificate-chain value has finally been added in 26ce6fd. I guess I can close this issue now.
Thank you!