mirror of
https://github.com/dehydrated-io/dehydrated.git
synced 2026-01-11 22:30:44 +01:00
Make the intermediate certificate available again #191
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @txr13 on GitHub (Jan 30, 2017).
If I'm reading this correctly, I believe commit
6a32f20e00now creates chain.pem as (intermediate + root) and fullchain.pem as (cert + intermediate + root)? If that's correct, then I would like to request that the intermediate certificate be output separately. When I upload chained certificate files, I need the intermediate certificate far more often than I need the root certificate.Some tools (such as the Qualys SSL server test) throw a warning about configuration when the root certificate is included in the bundle, since the expectation is that the trusting party should have the root already in their trust store. For similar reasons, I have often needed to upload the LE intermediate certificate as a separate file (for applications which don't support chained certificates), but I've never had to upload the root.
Having the intermediate certificate available would allow me to do a partial chain of (cert + intermediate) or access the intermediate separately as needed. (This was the previous behavior of the "fullchain" and "chain" files. I can replicate the partial chain easily enough through hooks or other scripts, as long as the intermediate is available in some form.)
@lukas2511 commented on GitHub (Jan 30, 2017):
Yea I guess having the root cert in the chain is kinda redundant (but only redundant, this shouldn't break anything), I'll have to figure out a nice way to detect it being the root cert and excluding it from the chain, I basically wanted this new "walk" functionality so that stuff doesn't break if Let's Encrypt ever reorganizes their internal CA structure.
@txr13 commented on GitHub (Jan 30, 2017):
I agree that the new "walk" function is a useful addition. And if LE ever reorganized such that there were multiple intermediate certs to include, then it would change the parsing needs dramatically.
There's already a test for issuer_cert_uri, and a null result indicates we're done parsing the chain. So if we receive a null result for issuer_cert_uri, we can write out the current certificate as root.pem. As we return from our recursion, we could write out the successive certs as intermediate1.pem, intermediate2.pem, etc. Once we returned from the walk, we'd have the whole chain as root -> intermediate1 -> ... -> intermediateX -> issued cert. (Though of course, the fullchain file itself would go in reverse order!)
The fullchain file can still point to the whole bundle, root included. But that way we have the intermediates available separately (and the root, too!) for whatever needs we may have... and it should be future-proof in case of CA structure change. I'm totally cool with extending my own scripts to create my own certificate chain files out of the various bits and pieces.
@lukas2511 commented on GitHub (Jan 30, 2017):
This should do the trick:
ee65261ea8Writing each intermediate certificate to a file doesn't seem useful for me, with this change it just stops when it detects the root of the chain.