Hi Guilhem, On Fri, Jul 05, 2024 at 11:15:31AM +0200, Guilhem Moulin wrote: > Hi Sakari, > > On Fri, 05 Jul 2024 at 08:23:56 +0000, Sakari Ailus wrote: > > The removal of the intermediate certificates (or not including the current > > ones) however is an issue as the server using the issued certificate still > > needs to provide them to the clients. > > The path pointed to by ‛certificate-chain’ contains the entire chain > (excluding the root) as provided by Let's Encrypt. > > > While it's certainly possible for the lacme user to obtain these > > certificates directly from Let's encrypt, it'd be quite convenient to > > continue to provide them in the lacme package itself, even if the package > > does need to be updated from time to time for that reason. > > Do you have a concrete usecase? It appears Let's Encrypt has settled on > intermediates with <2y lifetime (i.e., shorter than Debian Stable's > lifetime), and earlier rotation is at their own discretion, so I don't > see how we can reliably provide them as part of the source package. > (Updating via (o)s-pu might be an option, but that would only work if > the rotation is announced early enough ahead of the point release > freeze.)
I believe the issues were actually caused by a local misconfiguration. After fixing that, the certificate chain is deployed correctly. I understand the intermediate certificate was present in lacme-provided CA certificates previously and that's no longer the case. Apologies for the noise. -- Kind regards, Sakari Ailus
