On Sat, Feb 11, 2017 at 03:28:52PM +0100, Ludovic Courtès wrote: > Marius Bakke <mba...@fastmail.com> skribis: > > I think having a separate 'le-certs' package that can verify the Lets > > Encrypt chain sounds like the easiest option. Presumably new > > intermediates etc will be known well in advance. > > That sounds more reasonable to me. Do you know what it would take to > get the whole LE chain in such a package? Would you like to give it a > try?
I tried it. The next intermediate (also called the "backup") is already known. I've made it available here: https://github.com/lfam/le-certs You can try it out: $ echo | openssl s_client -CAfile /tmp/le-certs/le-certs.pem -CApath /tmp/le-certs -connect git.savannah.gnu.org:443 Your feedback is requested!
signature.asc
Description: PGP signature