Submitted via IRC for Bytram
Let's Encrypt to transition to ISRG root
Let's Encrypt have announced that on July 8th, 2019 they will begin issuing new certificates from their own intermediate CA and not their current cross-signed intermediate. Here's what that means and what action, if any, site operators need to take.
[...] Like all new CAs, Let's Encrypt began life with a cross-signature. Cross-signing is a trick that CAs can use to avoid the years long process of becoming a root CA. It genuinely does take many years to go through this process and Let's Encrypt wouldn't have been able to issue any certificates over the last 3+ years without a cross-sign.
[...] In short, Let's Encrypt currently issue from their cross-signed intermediate, which is issued to them by IdenTrust. IdenTrust have been a CA for many years and even old, legacy clients recognise them as a CA. When you get a certificate from Let's Encrypt right now it is issued by the cross-signed X3 intermediate which chains to the IdenTrust root. Now that Let's Encrypt's ISRG root is widely trusted, they can instead switch to issuing from their own X3 intermediate instead of the cross-signed one. This is a big step forwards for them and will likely not mean anything to the vast majority of their users. There are a few considerations though.
Useful links and information
Let's Encrypt transition announcement: https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html
Let's Encrypt ISRG root coverage: https://letsencrypt.org/2018/08/06/trusted-by-all-major-root-programs.html
The Best TLS Training in the World: https://www.feistyduck.com/training/the-best-ssl-and-tls-training-in-the-world
(Score: 2) by The Shire on Tuesday April 23 2019, @08:23PM (1 child)
Broke how? I've been running literally hundreds of domains on LE using http verification without any interuptions.
And a 3 month renew target is trivial to handle through automation.
(Score: 0) by Anonymous Coward on Wednesday April 24 2019, @06:38PM
idk. http verification just quit working. i had it scripted too. it worked for well over a year i'm guessing. ran it manually and the terminal and it wouldn't work. i don't remember what assinine message it gave me. i didn't change anything with my script or config except update certbot and the web server stack. i din't have time to try and figure out exactly how i had been sabotaged so i just used dns verification which worked without issue, but the way it's expected to be used is not automation friendly. Even the way the dns challenge script works it's obvious that no thought was given to it's usability. it works, but goddamn!