Add root certificate while generating certificate files
See original GitHub issueWhen calling certificateChain.Cert.toPem()
or certificateChain.Cert.toPfx()
(ie the extension methods from CertificateChainExtensions
) an AcmeException
with message Can not find issuer ...
is thrown, when the trust-anchor for this certificate is not embedded in the library. It works for LE production and staging, because these root certificates are contained in the library, but fails for instance when testing against a local pebble instance.
I agree with @webprofusion-chrisc that embedding all possible root certificates into the library is not the best way to go (like mentioned here ). So I think, there should be another possibility to (reasonable) easily provide the root certificate.
I’m not too familiar with the ACME RFC, but scanning through I couldn’t find a specification on how to obtain the root certificate automatically
- It is not contained in the certificate chain which is downloaded from the ACME provider. (Only the cert and intermediates are)
- The
up
link SHOULD be present when requesting a certificate in DER format, but support for the DER format itself is optional. - It might be possible to extract it from the system’s certificate store (like registry in windows, keychain in MacOS …) but that
- may not be possible on all platforms,
- requires platform specific code and
- does not solve the problem, that the root certificate may not even be known to the system
As possible workaround I could provide a PR which allows to provide the root certificate to CertificateChainExtensions.ToPfx()
and CertificateChainExtensions.ToPem()
(similar to what’s done in the Certes.CLI with the --issuer
option already). So anyone using this library with a CA other than LetsEncrypt can at least pre-download the root certificate and include it in the workflow.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:6 (2 by maintainers)
Top GitHub Comments
Thanks, yes agree that instead of us scraping around for the proper root cert the ACME CA should have an endpoint that serves the public root certs for the chains they support. It looks like this may have become part of pebble but isn’t part of ACME : https://github.com/letsencrypt/pebble/issues/152
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.