starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Add an option to keep using the old IdenTrust cross-signed intermediate certificate until 2021 #408

New Issue
Closed
opened 2025-12-29 01:24:33 +01:00 by adam · 4 comments
adam commented 2025-12-29 01:24:33 +01:00
Owner
Copy Link

Originally created by @sekrause on GitHub (Apr 17, 2019).

Let's Encrypt has announced that they will change the default intermediate certificate via ACME to their own ISRG Root X1 certificate on July 8, 2019. There is a high chance that a lot of somewhat older clients will fail with the new intermediate (Microsoft has only added the new root cert in 2018; overall support for the new root cert is a bit unclear to me, this compatibility list seems to be talking about the supported algorithms and not the supported root cert).

dehydrated could provide a new option --legacy-chain that forces the old intermediate certificate (the cross-signed cert from IdenTrust) for the forseeable future so that we can keep better support for legacy clients.

This option should automatically switch to the new chain maybe 30 days before the old intermediate certificate expires, which would currently be early 2021.

Originally created by @sekrause on GitHub (Apr 17, 2019). Let's Encrypt [has announced](https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html) that they will change the default intermediate certificate via ACME to their own ISRG Root X1 certificate on July 8, 2019. There is a high chance that a lot of somewhat older clients will fail with the new intermediate ([Microsoft has only added the new root cert in 2018](https://letsencrypt.org/2018/08/06/trusted-by-all-major-root-programs.html); overall support for the new root cert is a bit unclear to me, [this compatibility list](https://letsencrypt.org/docs/certificate-compatibility/) seems to be talking about the supported algorithms and not the supported root cert). `dehydrated` could provide a new option `--legacy-chain` that forces the old intermediate certificate (the cross-signed cert from IdenTrust) for the forseeable future so that we can keep better support for legacy clients. This option should automatically switch to the new chain maybe 30 days before the old intermediate certificate expires, which would currently be early 2021.
adam closed this issue 2025-12-29 01:24:33 +01:00
adam commented 2025-12-29 01:24:33 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Apr 23, 2019):

I'm not entirely sure how this can be done, is it just a different certificate in the chain or is there some parameter for the api? If it's a different certificate that just has to be appended to the chain I'm not entirely sure that I'd want to implement this in dehydrated itself, this could easily be done with a simple hook-script.

@lukas2511 commented on GitHub (Apr 23, 2019): I'm not entirely sure how this can be done, is it just a different certificate in the chain or is there some parameter for the api? If it's a different certificate that just has to be appended to the chain I'm not entirely sure that I'd want to implement this in dehydrated itself, this could easily be done with a simple hook-script.
adam commented 2025-12-29 01:24:34 +01:00
Author
Owner
Copy Link

@sekrause commented on GitHub (Apr 24, 2019):

As far as I know it indeed seems to be just using the old intermediate certificate (the old and new one use the same private key, so they are interchangeable). I'll look into the hook option.

@sekrause commented on GitHub (Apr 24, 2019): As far as I know it indeed seems to be just using the old intermediate certificate (the old and new one use the same private key, so they are interchangeable). I'll look into the hook option.
adam commented 2025-12-29 01:24:34 +01:00
Author
Owner
Copy Link

@sekrause commented on GitHub (Apr 24, 2019):

So this is the hook I came up with. You have to save the old intermediate certificate from https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt into the file oldchain.pem in the same directory as your hook script.

This hook will then create a file oldfullchain.pem in your certs directory which you can configure into nginx etc.

After December 1st 2020 (a bit more than 3 months before the expiration date of the old intermediate certificate) this hook will automatically switch to the new intermediate certificate just in case you forget to update your configuration.

deploy_cert() {
    local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"

    local SCRIPT=$(readlink -f "$0")
    local SCRIPTPATH=$(dirname "$SCRIPT")

    local TODAY=$(date +%s)
    local ENDDATE=$(date -d 2020-12-01 +%s)
    local FULLCHAINDIR=$(dirname "$FULLCHAINFILE")

    if [ $TODAY -lt $ENDDATE ];
    then
        cat "$CERTFILE" "$SCRIPTPATH/oldchain.pem" > "$FULLCHAINDIR/oldfullchain.pem"
    else
        cat "$CERTFILE" "$CHAINFILE" > "$FULLCHAINDIR/oldfullchain.pem"
    fi
}
@sekrause commented on GitHub (Apr 24, 2019): So this is the hook I came up with. You have to save the old intermediate certificate from https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt into the file `oldchain.pem` in the same directory as your hook script. This hook will then create a file `oldfullchain.pem` in your certs directory which you can configure into nginx etc. After December 1st 2020 (a bit more than 3 months before the expiration date of the old intermediate certificate) this hook will automatically switch to the new intermediate certificate just in case you forget to update your configuration. ```bash deploy_cert() { local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}" local SCRIPT=$(readlink -f "$0") local SCRIPTPATH=$(dirname "$SCRIPT") local TODAY=$(date +%s) local ENDDATE=$(date -d 2020-12-01 +%s) local FULLCHAINDIR=$(dirname "$FULLCHAINFILE") if [ $TODAY -lt $ENDDATE ]; then cat "$CERTFILE" "$SCRIPTPATH/oldchain.pem" > "$FULLCHAINDIR/oldfullchain.pem" else cat "$CERTFILE" "$CHAINFILE" > "$FULLCHAINDIR/oldfullchain.pem" fi } ```
adam commented 2025-12-29 01:24:34 +01:00
Author
Owner
Copy Link

@jcharaoui commented on GitHub (Nov 15, 2019):

For the record, for anyone landing here like me wondering why we're still seeing IdenTrust cross-signed certs, from the previously-linked announcement:

Update, May 20 2019
Due to concerns about insufficient ISRG root propagation on Android devices we have decided to move the date on which we will start serving a chain to our own root from July 8, 2019, to July 8, 2020.

@jcharaoui commented on GitHub (Nov 15, 2019): For the record, for anyone landing here like me wondering why we're still seeing IdenTrust cross-signed certs, from the previously-linked [announcement](https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html): > Update, May 20 2019 > Due to concerns about insufficient ISRG root propagation on Android devices we have decided to move the date on which we will start serving a chain to our own root from July 8, 2019, to July 8, 2020.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#408
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?