Boulder: wfe: implement alternate certificate chains

Created on 19 Nov 2019  路  7Comments  路  Source: letsencrypt/boulder

arewfe kinfeature kinspec-compliance layeapi

Most helpful comment

Hi @alexzorin ! This is now live in prod. Sorry for the delay!

All 7 comments

Are there any high level plans to get this out before the chain switchover in a little under 4 months from now?

In particular I think it would be useful for clients to see Let's Encrypt serving the ISRG chain as an alternate chain for a while, before the switch is made.

I could probably try contribute this change - something like adding alternateCertificateChains in test/config/wfe2.json that would mirror the certificateChains key?

You make a good point about timing, thank you very much for the reminder.

If you would like to contribute a change, I'd definitely appreciate it!

alternateCertificateChains is a good idea. It would be hard to express multiple alternates that way, but since we have no immediate plans to offer more than one alternate chain per certificate, I think that's not a big deal.

Hi @jsha, are you be able to share whether this is still planned? Sorry for the nag.

No problem! Thanks for the ping. Our SRE team has been working on it - the current blocker is that we want to make sure to meaningfully test it in staging before going to prod, and we don't currently have an alternate hierarchy for staging, so we need to set that up. We're still planning to deploy this. Sorry for the many delays.

Hi @alexzorin ! This is now live in prod. Sorry for the delay!

Fantastic, I'm so happy! This is probably the wrong place to ask, but if you plan to update the API Announcement, is it worth mention that users can upgrade to Certbot 1.6.0 for chain selection?

Done and done! I really appreciate how much you've worked on this feature, in both Boulder and Certbot.

Was this page helpful?
0 / 5 - 0 ratings