From 9cb882a468843bf8ce9598de8769d5baaaaae3ea Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 13 Jun 2024 03:32:04 +0200
Subject: Fix post-issuance validation logic.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Rather than adding intermediates in the certificate bundle we now
validate the leaf certificate with intermediates as untrusted (used for
chain building only).  Only the root certificates are used as trust
anchor.

Not pining intermediate certificates anymore is in line with Let's
Encrypt's latest recommendations:

    Rotating the set of intermediates we issue from helps keep the
    Internet agile and more secure.  It encourages automation and
    efficiency, and discourages outdated practices like key pinning.
    “Key Pinning” is a practice in which clients — either ACME clients
    getting certificates for their site, or apps connecting to their own
    backend servers — decide to trust only a single issuing intermediate
    certificate rather than delegating trust to the system trust store.
    Updating pinned keys is a manual process, which leads to an
    increased risk of errors and potential business continuity failures.
    — https://letsencrypt.org/2024/03/19/new-intermediate-certificates:
---
 Makefile | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

(limited to 'Makefile')

diff --git a/Makefile b/Makefile
index 10e55c5..cb2f4ed 100644
--- a/Makefile
+++ b/Makefile
@@ -16,17 +16,13 @@ $(MANUAL_FILES): $(BUILDDIR)/%: $(BUILDDIR)/%.md
 # used for validation, see https://letsencrypt.org/certificates/
 $(BUILDDIR)/certs/ca-certificates.crt: \
         certs/isrgrootx1.pem \
-        certs/isrg-root-x2.pem \
-        certs/lets-encrypt-r[34].pem \
-        certs/lets-encrypt-e[12].pem
+        certs/isrg-root-x2.pem
 	mkdir -pv -- $(@D)
 	cat -- $^ >$@
 
 # Staging Environment for tests, see https://letsencrypt.org/docs/staging-environment/
 $(BUILDDIR)/certs-staging/ca-certificates.crt: \
-        certs-staging/letsencrypt-stg-root-x[12].pem \
-        certs-staging/letsencrypt-stg-int-r[34].pem \
-        certs-staging/letsencrypt-stg-int-e[12].pem
+        certs-staging/letsencrypt-stg-root-x[12].pem
 	mkdir -pv -- $(@D)
 	cat -- $^ >$@
 
-- 
cgit v1.2.3