go /
crypto /
6575f7ea326e67d12b77872ff66f5ea15f8aefad acme: build up full chain certs when requested
The latest ACME spec (v3) changed the wording to:
... the server MUST send one or more link relation header
fields [RFC5988] with relation "up", each indicating a single
certificate resource for the issuer of this certificate. The server
MAY also include the "up" links from these resources to enable the
client to build a full certificate chain.
See https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-6.3.1.
Before this change, Client was fetching only the first "up" link, but never
checked to follow the chain further. To my knowledge, Let's Encrypt never
provided a chain longer than 1, this is just to make the Client future proof.
Also fixes google/acme#26.
Change-Id: I35cf5f1997b21a0b2a2d0a732043a7e04b7f1c45
Reviewed-on: https://go-review.googlesource.com/26693
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2 files changed