Hi Sakari, On Fri, 05 Jul 2024 at 08:23:56 +0000, Sakari Ailus wrote: > The removal of the intermediate certificates (or not including the current > ones) however is an issue as the server using the issued certificate still > needs to provide them to the clients.
The path pointed to by ‛certificate-chain’ contains the entire chain (excluding the root) as provided by Let's Encrypt. > While it's certainly possible for the lacme user to obtain these > certificates directly from Let's encrypt, it'd be quite convenient to > continue to provide them in the lacme package itself, even if the package > does need to be updated from time to time for that reason. Do you have a concrete usecase? It appears Let's Encrypt has settled on intermediates with <2y lifetime (i.e., shorter than Debian Stable's lifetime), and earlier rotation is at their own discretion, so I don't see how we can reliably provide them as part of the source package. (Updating via (o)s-pu might be an option, but that would only work if the rotation is announced early enough ahead of the point release freeze.) Cheers, -- Guilhem.
signature.asc
Description: PGP signature
