GET Combined Key & Certificate does not return CA chain

[ruifung]

Despite the documentation at GET Combined Key & Certificate stating that it will return the chain, testing with CURL has shown that it only returns the private key and the certificate.

Use case was to use it with caddy's tls get_certificate http function

[gregtwallace]

My bad, I rewrote the documentation incorrectly.

You could concat that call with the certchain call below it if you want everything together in one file.

[ruifung]

And here I was thinking I could use it directly with Caddy's tls get_certificate http function that expects everything in one file from a HTTP endpoint.

Oh well, back to using shell scripts I guess.

[gregtwallace]

I'm not necessarily opposed to adding it. I just didn't need it when I wrote that particular function and no one else had asked.

Have you tried it without the chain though? Some things seem to work without actually providing the chain (I don't use Caddy though so I'm not sure).

[ruifung]

I mean, it would probably work, but then I would expect clients that don't have the intermediates in their trust store (or cached) to have issues verifying it then.

[gregtwallace]

I’ll probably add this, just not sure when. Since it’s relatively straightforward probably sooner than later.

In the meantime, most modern devices will actually handle it automatically without complaining. I have idracs that I could never get to actually serve the intermediate but never had a problem. Browsers fill in the intermediate blanks between the root and cert by fetching them. I can’t remember what this is called right now.

[ruifung]

Nice. I see you added it.

Also to reply to your previous comment, though it is a bit late:

Sure, browsers will have no problems handling it, but browsers aren't the only thing making HTTPS requests now are they? 😉

My use case was in Caddy in front of a minio instance. Can't be sure every single S3 implementation that accesses it will have the intermediates or will fetch it.