Let's Encrypt has been using a cross-signed intermediate CA by DST Root CA X3, which is included in any older devices' TrustStore.

https://letsencrypt.org/certificates/ Let's Encrypt is transitioning to use the intermediate CA issued by their own root (ISRG X1) starting from September 29th 2020. This is in preparation of concluding the initial bootstrapping of their CA, by having it cross-signed by an older CA. https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html This PR allows Lemur to pin to the cross-signed ICA (same public/private key pair as the ICA signed by ISRG X1). This will prolong support for incompatible systems.
2020-07-14 17:35:13 -07:00 · 2020-07-14 17:35:13 -07:00 · 5a6e4e5b43
parent c169ad291e
commit 5a6e4e5b43
1 changed files with 9 additions and 3 deletions
--- a/lemur/plugins/lemur_acme/plugin.py
+++ b/lemur/plugins/lemur_acme/plugin.py
@ -205,9 +205,15 @@ class AcmeHandler(object):
                OpenSSL.crypto.FILETYPE_PEM, orderr.fullchain_pem
            ),
        ).decode()
-        pem_certificate_chain = orderr.fullchain_pem[
-            len(pem_certificate) :  # noqa
-        ].lstrip()
+
+        if current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA", False) \
+                and datetime.datetime.now() < datetime.datetime.strptime(
+                    current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA_EXPIRATION_DATE", "17/03/21"), '%d/%m/%y'):
+            pem_certificate_chain = current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA")
+        else:
+            pem_certificate_chain = orderr.fullchain_pem[
+                len(pem_certificate) :  # noqa
+            ].lstrip()

        current_app.logger.debug(
            "{0} {1}".format(type(pem_certificate), type(pem_certificate_chain))