acme: add preferred_chain option
- Feb 27, 2023
-
-
Charles Decoux authored
Signed-off-by:
Charles Decoux <charles@cri.epita.fr>
-
Let's Encrypt currently (cross)signs its certificates with both ISRG Root X1
and DST Root CA X3
: https://community.letsencrypt.org/t/production-chain-changes/150739
This breaks on DoH/DoT servers used as Android Private DNS
because Android excepts each single CA which signed/crosssigned the certificate to be valid, instead if it already met a well-known valid one during the bottom-up validation.
This MR adds the ability to configure a custom preferred chain globally or for each certificate.
Signed-off-by:
Charles Decoux <charles@cri.epita.fr>