Alternate chain X1
DavidFromNL opened this issue · 3 comments
Would it be possible to look into implementing alternate trust paths please? Last week LetsEncrypts DST Root CA X3 expired, causing a lot of trouble for older SSL implementations, especially on servers. There's a really easy fix available: using an alternate trust path. While this breaks Android-4 trust it fixes trust for OpenSSL/LibreSSL.
When you download the certificates in the last step, the ACME server may provide a header in this format:
link: https://acme-v02.api.letsencrypt.org/acme/cert/0123456789abcdef0123456789abcdef/1;rel="alternate"
That is the link to an alternative trust path that a sysadmin may choose to use instead of the default path.
Resources:
https://letsencrypt.org/2020/12/21/extending-android-compatibility.html
https://datatracker.ietf.org/doc/html/rfc8555#section-7.4.2
I created a quick and dirty fix that suits my needs, but it would be great if this were a supported feature.
Thanks for your feedback!
I added a new method getCertificateChains to get an array of all chains.
Currently you can find the modification in the alternate_chains branch. I'm going to merge it into master soon, when testing is complete.
Usage:
$ret=$ac->getCertificateChains('file://'.'cert_private_key.pem',$domain_config,$handler);
if (isset[$ret['ISRG Root X1']]){ // use alternate chain 'ISRG Root X1'
file_put_contents('fullchain.pem',$ret['ISRG Root X1']);
}else{ // use default chain if 'ISRG Root X1' is not present
file_put_contents('fullchain.pem',reset($ret));
}Update: Version 3.1.0 has been released, which now contains the new method!
Awesome! Thanks for this work!