Closed martinklepsch closed 8 years ago
martinklepsch
commented
8 years ago Someone mentioned on IRC
[acme-client] is not completely implementing the ACME protocol. Part of the protocol is providing the correct chain files to the client who's then supposed to download it and write it out.
So probably this is good to add?
davidef
commented
8 years ago As stated in the readme the current version do not fully implement ACME. Anyway getting certificate chain to root is out of scope of the ACME protocol. You should be able to resolve/download chain to root reading certificate data (esp. Authority Information Access / Ca Issuers see https://tools.ietf.org/html/rfc3280#section-4.2.2.1 if you implement this maybe it's a good idea to add it to demo project) or you can manually download intermediate certificate from https://letsencrypt.org/certificates/
martinklepsch
commented
8 years ago I didn't mean to point fingers or blame. I just understood that comment in IRC as if it's part of the protocol. In any case I realized that getting intermediate certificates is as easy as downloading them from the page you mentioned and that's good enough :)
Unfortunately this still doesn't quite work with AWS but that's another topic. You haven't tried using lets encrypt certificates with AWS by any chance?
Thanks again for adding the additional debug argument :) On Fri, 18 Dec 2015 at 22:07, davidef notifications@github.com wrote:
As stated in the readme the current version do not fully implement ACME. Anyway getting certificate chain to root is out of scope of the ACME protocol. You should be able to resolve/download chain to root reading certificate data (esp. Authority Information Access / Ca Issuers see https://tools.ietf.org/html/rfc3280#section-4.2.2.1 if you implement this maybe it's a good idea to add it to demo project) or you can manually download intermediate certificate from https://letsencrypt.org/certificates/
— Reply to this email directly or view it on GitHub https://github.com/zero11it/acme-client/issues/3#issuecomment-165897911.
davidef
commented
8 years ago Reading the URLs from the certificate it self should be the best way as they may change the intermediate CA (see here: https://letsencrypt.org/certificates/ ) and if they do you end up with a broken chain without any error. We are using certificates on our server (some nginx, some apache and some tomcat), no experience with public facing services on AWS. I think you'd better ask on the LE Community.
davidef
commented
8 years ago I've just push 43564ff3d2167e053b063597125a72aaa2f9be42 with an option in the default certificate storage to automatically download and save the intermediate certificate
Hello @davidef. Sorry for the repeated noob question. :)
I was experimenting with using certificates generated by your client for AWS services (CloudFront specifically) and noticed that I need to supply a certificate chain. According to LetsEncrypt this is the most common usecase.
What do you think about also saving the certificate chain to a file?