starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-13 23:23:32 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Preferred chain: LetsEncrypt Subscriber Certificate < – R3 < – ISRG Root X1 #525

New Issue
Closed
opened 2025-12-29 01:26:45 +01:00 by adam · 4 comments
adam commented 2025-12-29 01:26:45 +01:00
Owner
Copy Link

Originally created by @heffergm on GitHub (Mar 15, 2021).

As relates to https://letsencrypt.org/2020/12/21/extending-android-compatibility.html, it sounds like there is presently no way to select the alternate chain LE is going to offer (Subscriber Certificate < – R3 < – ISRG Root X1). Is this something that's in the works?

Originally created by @heffergm on GitHub (Mar 15, 2021). As relates to https://letsencrypt.org/2020/12/21/extending-android-compatibility.html, it sounds like there is presently no way to select the alternate chain LE is going to offer (Subscriber Certificate < – R3 < – ISRG Root X1). Is this something that's in the works?
adam closed this issue 2025-12-29 01:26:45 +01:00
adam commented 2025-12-29 01:26:46 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Mar 15, 2021):

This is already supported in the newest version.

Either as CLI argument:

--preferred-chain issuer-cn Use alternative certificate chain identified by issuer CN

Or via a config parameter:

# Preferred issuer chain (default: <unset> -> uses default chain)
#PREFERRED_CHAIN=
@lukas2511 commented on GitHub (Mar 15, 2021): This is already supported in the newest version. Either as CLI argument: ` --preferred-chain issuer-cn Use alternative certificate chain identified by issuer CN` Or via a config parameter: ``` # Preferred issuer chain (default: <unset> -> uses default chain) #PREFERRED_CHAIN= ```
adam commented 2025-12-29 01:26:46 +01:00
Author
Owner
Copy Link

@heffergm commented on GitHub (Mar 17, 2021):

So, the question arose due to this note from LetsEncrypt:

What about the alternate chain? Today, some ACME clients are able to instead request an alternate chain, if their user has 
configured it. We currently provide the option of getting the chain: Subscriber Certificate < – R3 < – ISRG Root X1 We will 
continue to offer this same chain as an alternate. However, note that most ACME clients don’t yet have a way to select this 
alternate chain (for example, Certbot selects chains by looking to see if they contain a given Issuer Name, but this chain 
doesn’t contain any Issuer Names which the high compatibility chain above doesn’t). We’ll be working with ACME client 
developers to create more flexible chain selection mechanisms going forward.

Specifically, the note about "no acme clients having a way to select this alternate chain...". If the existing preferred-chain option in dehydrated doesn't suffer this issue, that's great.

@heffergm commented on GitHub (Mar 17, 2021): So, the question arose due to this note from LetsEncrypt: ``` What about the alternate chain? Today, some ACME clients are able to instead request an alternate chain, if their user has configured it. We currently provide the option of getting the chain: Subscriber Certificate < – R3 < – ISRG Root X1 We will continue to offer this same chain as an alternate. However, note that most ACME clients don’t yet have a way to select this alternate chain (for example, Certbot selects chains by looking to see if they contain a given Issuer Name, but this chain doesn’t contain any Issuer Names which the high compatibility chain above doesn’t). We’ll be working with ACME client developers to create more flexible chain selection mechanisms going forward. ``` Specifically, the note about "no acme clients having a way to select this alternate chain...". If the existing preferred-chain option in dehydrated doesn't suffer this issue, that's great.
adam commented 2025-12-29 01:26:46 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Mar 21, 2021):

My current implementation just travels up the trust chain until it gets to the uppermost issuer certificate, which in this case should be DST Root CA X3 by default, or ISRG Root X1 as alternative, and those names should be selectable by the mentioned parameters.

[...] available options: DST Root CA X3, ISRG Root X1

@lukas2511 commented on GitHub (Mar 21, 2021): My current implementation just travels up the trust chain until it gets to the uppermost issuer certificate, which in this case should be `DST Root CA X3` by default, or `ISRG Root X1` as alternative, and those names should be selectable by the mentioned parameters. `[...] available options: DST Root CA X3, ISRG Root X1`
adam commented 2025-12-29 01:26:47 +01:00
Author
Owner
Copy Link

@mckaygerhard commented on GitHub (Nov 17, 2022):

Specifically, the note about "no acme clients having a way to select this alternate chain...". If the existing preferred-chain option in dehydrated doesn't suffer this issue, that's great.

it seems that is the case, cos i checked my cert at the browsers and still shows R3 as issuer.. check #892 or i dont know how is the workflow of those mechanish?

configured it. We currently provide the option of getting the chain: Subscriber Certificate < – R3 < – ISRG Root X1 We will continue to offer this same chain as an alternate. However, note that most ACME clients don’t yet have a way to select this alternate chain (for example, Certbot selects chains by looking to see if they contain a given Issuer Name, but this chain doesn’t contain any Issuer Names which the high compatibility chain above doesn’t). We’ll be working with ACME client developers to create more flexible chain selection mechanisms going forward.

@mckaygerhard commented on GitHub (Nov 17, 2022): > Specifically, the note about "no acme clients having a way to select this alternate chain...". If the existing preferred-chain option in dehydrated doesn't suffer this issue, that's great. it seems that is the case, cos i checked my cert at the browsers and still shows R3 as issuer.. check #892 or i dont know how is the workflow of those mechanish? > configured it. We currently provide the option of getting the chain: Subscriber Certificate < – R3 < – ISRG Root X1 We will continue to offer this same chain as an alternate. However, note that most ACME clients don’t yet have a way to select this alternate chain (for example, Certbot selects chains by looking to see if they contain a given Issuer Name, but this chain doesn’t contain any Issuer Names which the high compatibility chain above doesn’t). We’ll be working with ACME client developers to create more flexible chain selection mechanisms going forward. >
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#525
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?