Add alternate chains of varying path length #318
Comments
|
I don't think this should be limited to strict mode, but it should be available always. For backwards compatibility, it should require explicit enabling though. |
|
No client I've seen has handled this properly, until Certbot recently merged this PR (from @alexzorin of all people!) https://github.com/certbot/certbot/pull/7877/files For lack of time to properly handle this on my client, I just "do whatever certbot does". The best-case typical client will correctly pull out the first cert... but then group all subsequent certs together into a "fullchain". this is somewhat correct - most systems should handle this fine - however it does not differentiate between the discrete certs in the fullchain component. (i.e. they always generates a 2 item chain; if there is one upchain cert then we see However... many clients just use regex or string splits, and pull out the 1st and 2nd items from the result. |
|
Feedback welcome in #320! |
|
@jvanasco I really wonder why no other client bothered to implement that, since it was pretty obvious from the RFC that this could happen. (I did implement it for my client, and the PR finally showed that the code I wrote actually works in real life ;) ) |
This commit adds a way to control how long the certificate issuance chains that Pebble uses are. The default and minimum value of 1 means that there is one intermediate certificate in the final certificate chain. Fixes #318. The resulting certificate chain (at a value of `2`) looks like this: $ cat b.pem | openssl crl2pkcs7 -nocrl -certfile /dev/stdin | openssl pkcs7 -print_certs -noout subject=CN = xfoobazx.com issuer=CN = Pebble Intermediate CA 2f1dd1 subject=CN = Pebble Intermediate CA 2f1dd1 issuer=CN = Pebble Intermediate CA 5a564f subject=CN = Pebble Intermediate CA 5a564f issuer=CN = Pebble Root CA 0335fe The change is a little bit awkward because Pebble has been, in parts, written with an assumption about there being one intermediate. The additional intermediates are not exposed via the management interface. It might be possible to make a non-breaking change to `:15000/intermediate-keys/`, but I haven't been able to think of a use-case for exposing them.
@jvanasco suggests in this forum post that ACME clients might not be able to handle downloading a certificate chain that is longer than just end-entity+issuer.
We could add this variation to strict mode.
These chains do happen in real life (check what certificates are sent by
gogetssl.comfor example) and since pretty much the entire point of Pebble is to be a stickler for the rules, I think it should be added.The text was updated successfully, but these errors were encountered: