Stories
Slash Boxes
Comments

SoylentNews is people

Let's Encrypt to Transition to ISRG Root

posted by Fnord666 on Tuesday April 23 2019, @09:11AM   Printer-friendly
from the getting-to-the-root-of-the-issue dept.

upstart writes:

Submitted via IRC for Bytram

Let's Encrypt to transition to ISRG root

Let's Encrypt have announced that on July 8th, 2019 they will begin issuing new certificates from their own intermediate CA and not their current cross-signed intermediate. Here's what that means and what action, if any, site operators need to take.

[...] Like all new CAs, Let's Encrypt began life with a cross-signature. Cross-signing is a trick that CAs can use to avoid the years long process of becoming a root CA. It genuinely does take many years to go through this process and Let's Encrypt wouldn't have been able to issue any certificates over the last 3+ years without a cross-sign.

[...] In short, Let's Encrypt currently issue from their cross-signed intermediate, which is issued to them by IdenTrust. IdenTrust have been a CA for many years and even old, legacy clients recognise them as a CA. When you get a certificate from Let's Encrypt right now it is issued by the cross-signed X3 intermediate which chains to the IdenTrust root. Now that Let's Encrypt's ISRG root is widely trusted, they can instead switch to issuing from their own X3 intermediate instead of the cross-signed one. This is a big step forwards for them and will likely not mean anything to the vast majority of their users. There are a few considerations though.

Useful links and information

Let's Encrypt transition announcement: https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html

Let's Encrypt ISRG root coverage: https://letsencrypt.org/2018/08/06/trusted-by-all-major-root-programs.html

The Best TLS Training in the World: https://www.feistyduck.com/training/the-best-ssl-and-tls-training-in-the-world

Original Submission

 
This discussion has been archived. No new comments can be posted.
Let's Encrypt to Transition to ISRG Root | Log In/Create an Account | Top | 10 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by The Shire on Tuesday April 23 2019, @08:23PM (1 child)

    by The Shire (5824) on Tuesday April 23 2019, @08:23PM (#834023)

    Broke how? I've been running literally hundreds of domains on LE using http verification without any interuptions.

    And a 3 month renew target is trivial to handle through automation.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 0) by Anonymous Coward on Wednesday April 24 2019, @06:38PM

    by Anonymous Coward on Wednesday April 24 2019, @06:38PM (#834451)

    idk. http verification just quit working. i had it scripted too. it worked for well over a year i'm guessing. ran it manually and the terminal and it wouldn't work. i don't remember what assinine message it gave me. i didn't change anything with my script or config except update certbot and the web server stack. i din't have time to try and figure out exactly how i had been sabotaged so i just used dns verification which worked without issue, but the way it's expected to be used is not automation friendly. Even the way the dns challenge script works it's obvious that no thought was given to it's usability. it works, but goddamn!