acme; fetch certificate chain

[komuw]

https://letsencrypt.org/2023/07/10/cross-sign-expiration.html says;

ACME client author should make sure that your client correctly downloads and installs the certificate chain.
 Failure modes we have seen in the past include;
a) never downloading the chain at all and only serving the end-entity certificate; 
b) never downloading the chain and instead serving a hard-coded chain; and 
c) only downloading the chain at first issuance and not re-downloading during renewals. 
Please ensure that your client does not fall into any of these buckets.

And https://datatracker.ietf.org/doc/html/rfc8555#section-7.4.2;

The default format of the certificate is application/pem-certificate-chain

Which is defined by https://datatracker.ietf.org/doc/html/rfc8555#section-9 as;

 A file of this type contains one or MORE certificates encoded with the PEM textual encoding,

see: https://github.com/golang/crypto/blob/v0.11.0/acme/rfc8555.go#L400-L424

[komuw]

I think it is fine the way it is, maybe what we need to do is change; https://github.com/komuw/ong/blob/faf6e54525e946ebce6ca62a1ac98d4e7f860fa8/internal/acme/client.go#L810 to;

c, err := io.ReadAll(io.LimitReader(res.Body, someMaxvalue))

The reason why it is fine as is, is because when we do io.readAll(response); even if the response is a chain, it will be read and saved.

[komuw]

Actually I checked, and ong/acme is doing the right thing and downloading the chain.
What is left is just to limit the maximum size of certificates we allow to download to prevent denial of service.