This repository has been archived by the owner on Feb 26, 2024. It is now read-only.
r/certificate: do not require exactly 2 certificates in the bundle Let's Encrypt, in part of the work in migrating to their own independent root CA certificate, has introduced an additional intermediate in the default chain to help compatibility with older systems, namely Android devices. The new chain is now being issued with new requests, which has caused issues with our current assertions where we look for two certificates. This assertion possibly could fail with other ACME CAs that are not Let's Encrypt that may eventually need to do something similar. For now, we are just removing the assertion that expects this. For PEM encoding we are just concatenating the entire collection of issuer certificates in issuer_pem. This will be migrated to a list at a later time. Since PFX encoding takes certificates un-encoded, this is a more natural, graceful change. Additionally, we should look to add a certificate chain preference at a later time, as Let's Encrypt will be eventually transitioning their default chain to one that does not include the cross-signed intermediate. Related to #154. (cherry picked from commit a8f59aa7288c421220152c8cb244a280272bbd64)