search

shred / acme4j

Java client for ACME (Let's Encrypt)
https://acme4j.shredzone.org
Apache License 2.0
521 stars 96 forks source link

preferred-chain attribute, for alternate chains #138

Closed Fabian95qw closed 1 year ago

Fabian95qw commented 1 year ago

We've certain devices which after a firmware upgrade no longer accept the old Let's Encrypt chain, and require the new chain to work.

There is an Article about this on Let's Encrypt https://community.letsencrypt.org/t/providing-a-longer-certificate-chain-by-default/148738 or https://emak.tech/support/fixing-lets-encrypt-root-ca-x3-expiry-on-yealink-phones/

Basically, the chain currently delivered by Let's Encrypt contains the longer CA-Chain with the old DST Root CA X3 Certificate, that is expired, to keep it compatible with older devices. They also have an option to deliver the alternate shorter chain of certificates, which does not contain the old DST Root CA X3 Certificate. This is done via a "preffered-chain" attribute.

I haven't figured out, where i'd have to add this attribute, to make it work. Or if it's currently even possible to add this to the request without modifying the source code.

I hope you can help me with this. Sincerely Fabian95qw

shred commented 1 year ago

Hi Fabian95qw!

There is no "preferred-chain" attribute like in certbot.

But actually it's easy to select the alternative certificate chain with acme4j. I wrote a blog article about it. Basically it's changing your code like this:

Certificate certificate = order.getCertificate();
certificate = certificate.getAlternateCertificates().stream()
        .findFirst()
        .orElse(certificate);
Fabian95qw commented 1 year ago

Hello shred

Thank you for this Feedback!. I'll implementit like that, and filter the Certificates, to see which one matches the preferred root certificate based on user input This issue is resolved.