Cert-manager: Option to select intermediate certificate

We have more time :) Update from Let's Encrypt: "Update, May 20 2019
Due to concerns about insufficient ISRG root propagation on Android devices we have decided to move the date on which we will start serving a chain to our own root from July 8, 2019, to July 8, 2020."

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

/remove-lifecycle stale

On Mon, Aug 19, 2019, 10:24 retest-bot notifications@github.com wrote:

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually
close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack https://github.com/jetstack.
/lifecycle stale

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/jetstack/cert-manager/issues/1700?email_source=notifications&email_token=AAHO3JACMJNNK6W3QZOA3F3QFJKCTA5CNFSM4HN4Q3MKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4SDFNY#issuecomment-522465975,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAHO3JC57SOUL7PMPFSQQIDQFJKCTANCNFSM4HN4Q3MA
.

This isn't something we can control - we simply issue the certificates that Let's Encrypt give us. It'd be best if you took this up over at the Let's Encrypt community forums, or directly with them 😄

Let's Encrypt does provide the paramter for it and some clients such as Certbot already have the ability to select the preferred chain

  --preferred-chain PREFERRED_CHAIN
                        If the CA offers multiple certificate chains, prefer
                        the chain with an issuer matching this Subject Common
                        Name. If no match, the default offered chain will be

./letsencrypt-auto --preferred-chain "DST Root CA X3"

If this is not implemented by September 29 2020, Let's Encrypt will start issuing certs which are signed by Intermediate certificates issued by their relatively new root CA ISRG Root X1 which is not available in even Android devices more than 5 years old

/cc @meyskens @joshvanl @wallrj

As a first step which could be more easily backported, can we force Let's Encrypt to use the old default? Or are we better to flip this default now (3 Sept) along with the rest of the Let's Encrypt community, and introduce a new option in the next release to switch it back for those with compatibility issues?

I think we should follow the LE switch to ISRG root and add a preffered-chain option in the issuer which is set passes that along to LE as well as other ACME issuers which can be useful to offer internal ACME with multiple CAs (somebody should make this a thing...)

Digging into https://github.com/certbot/certbot/pull/8080/files Pebble already seems to have support for this which helps us to test this!

/assign
/priority important-soon
/area acme

For supporting legacy devices only on some domains with same issuer, it could be useful to set preffered-chain at more granular level - on certificate.

@OndroNR it is a quite ACME specific feature, that would introduce a field that only works with 1 issuer on all certificates.
If you want to combine both you can set up 2 Issuers letsencrypt and letsencrypt-old-chain than point the old ones you need to the new Issuer