starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

support alternate chains offered by the ACME #547

New Issue
Closed
opened 2025-12-29 01:27:06 +01:00 by adam · 2 comments
adam commented 2025-12-29 01:27:06 +01:00
Owner
Copy Link

Originally created by @redzuk on GitHub (Oct 1, 2021).

https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816

How to support older OpenSSL versions
If you need to support affected OpenSSL versions and don't need compatibility with devices running Android versions older than 7.1.1, you'll be able to configure your ACME client to use a short chain that works for OpenSSL.

When you request a certificate with ACME, our servers provide your ACME client with a recommended certificate chain to go with it. Right now, that default chain is short and consists of one certificate:

R3 (signed by ISRG Root X1) -> Subscriber certificate

Soon, our servers will start recommending a slightly longer default chain that will maintain Android compatibility through 2024:

ISRG Root X1 (signed by DST Root CA X3) -> R3 (signed by ISRG Root X1) -> Subscriber certificate

However, we will continue to provide the shorter chain as an alternate, which can be selected by ACME clients that have alternate chain support. To support OpenSSL versions older than 1.1.0, you should configure this shorter chain.This functionality is officially supported by ACME and is already implemented by clients like uacme 28, Caddy 16, and more recently 51 Certbot 114.

ISRG Root X1 is already trusted by most modern browsers and smartphones, however, devices running Android older than 7.1.1 will consider the certificate presented by your server to be invalid and will reject it.

Regardless of the certificate chain being used, ISRG Root X1 will need to be present in the “trust store” of clients using any version of OpenSSL. If not, the certificate will be rejected as untrusted.

Originally created by @redzuk on GitHub (Oct 1, 2021). https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816 How to support older OpenSSL versions If you need to support affected OpenSSL versions and don't need compatibility with devices running Android versions older than 7.1.1, you'll be able to configure your ACME client to use a short chain that works for OpenSSL. When you request a certificate with ACME, our servers provide your ACME client with a recommended certificate chain to go with it. Right now, that default chain is short and consists of one certificate: R3 (signed by ISRG Root X1) -> Subscriber certificate Soon, our servers will start recommending a slightly longer default chain that will maintain Android compatibility through 2024: ISRG Root X1 (signed by DST Root CA X3) -> R3 (signed by ISRG Root X1) -> Subscriber certificate However, we will continue to provide the shorter chain as an alternate, which can be selected by ACME clients that have alternate chain support. To support OpenSSL versions older than 1.1.0, you should configure this shorter chain.This functionality is officially supported by ACME and is already implemented by clients like uacme 28, Caddy 16, and more recently 51 Certbot 114. ISRG Root X1 is already trusted by most modern browsers and smartphones, however, devices running Android older than 7.1.1 will consider the certificate presented by your server to be invalid and will reject it. Regardless of the certificate chain being used, ISRG Root X1 will need to be present in the “trust store” of clients using any version of OpenSSL. If not, the certificate will be rejected as untrusted.
adam closed this issue 2025-12-29 01:27:06 +01:00
adam commented 2025-12-29 01:27:07 +01:00
Author
Owner
Copy Link

@arekm commented on GitHub (Oct 1, 2021):

# Preferred issuer chain (default: <unset> -> uses default chain)
PREFERRED_CHAIN="ISRG Root X1"
@arekm commented on GitHub (Oct 1, 2021): ```` # Preferred issuer chain (default: <unset> -> uses default chain) PREFERRED_CHAIN="ISRG Root X1" ````
adam commented 2025-12-29 01:27:07 +01:00
Author
Owner
Copy Link

@dani commented on GitHub (Oct 1, 2021):

I should just add that on older openssl (eg, el6, el7), the selection of the correct chain should be done like that

PREFERRED_CHAIN="issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1"
@dani commented on GitHub (Oct 1, 2021): I should just add that on older openssl (eg, el6, el7), the selection of the correct chain should be done like that ``` PREFERRED_CHAIN="issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1"
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#547
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?