acme: add preferred_chain option
2 unresolved threads
2 unresolved threads
Files
3+ 2
− 0
@@ -14,6 +14,7 @@ acme_experimental_cname_support: false
@@ -46,3 +47,4 @@ acme_certificates: []
This GitLab instance and the rest of the school's online services will be unavailable from August 4th to August 10th. Read the Forge announcement in the news.
Let's Encrypt currently (cross)signs its certificates with both ISRG Root X1
and DST Root CA X3
: https://community.letsencrypt.org/t/production-chain-changes/150739
This breaks on DoH/DoT servers used as Android Private DNS
because Android excepts each single CA which signed/crosssigned the certificate to be valid, instead if it already met a well-known valid one during the bottom-up validation.
This MR adds the ability to configure a custom preferred chain globally or for each certificate.
Let's set a default as it's done for
acme_key_type
. It will make using it much easier.I'm not sure which default would make most sense here as we could just let lego use let's encrypt's default chain.