Support for fetching alternative certificates
gschorkopf opened this issue · comments
Problem
ACME client should support the ability to look up alternative certificates in order to continue using the IdenTrust chain during the yearlong gap (Sept 29 2020 to 2021) where Let's Encrypt will continue to cross-sign but are now using their own chain by default.
Potential Solutions
- Upgrading the certificate method to loop and download certificates until one matches the certificate authority expected. This is roughly what certbot is doing (see below)
- Add a new method that will return all (including alternatives) certificates
Notes
Context on Transitioning to ISRG's root
There are additional details here for Let's Encrypt's decision to:
to start serving certificates with the “alternate” link relation to allow ACME clients to programmatically select a chain they prefer
There is a python implementation of this feature for certbot here. Perhaps we could take a queue from the tests they've written.
In a world with many alternatives, it seems like you need to download them in order to understand how they operate. The links header only returns a URL for download with no additional information. The link header (in ruby) looks roughly like this:
"link"=>
{"index"=>"https://acme-v02.api.letsencrypt.org/directory",
"alternate"=>"https://acme-v02.api.letsencrypt.org/acme/cert/longcert_id/1"}
I've done a bit of research. Today, the alternates (though there is only one) is the certificate that uses Let's Encrypt's chain. I imagine on Sept 29th the original and alternate certificates will swap (though have not confirmed this).
By the way, we are planning to do this work and contribute to this gem, hoping to use the work ahead of the Sept 29 deadline! Just wanted to make the issue publicly visible for y'all.
@unixcharles Hi, could you please your opinion on this Issue?
Reviewed the PR. Thanks for the help.
You can use force_chain
in 2.0.7
.
Thanks everyone