Fix cert bundle order

acme/client.go

@@ -184,9 +184,9 @@ func (c *Client) RevokeCertificate(certificate []byte) error {
 		return err
 	}
 
-	x509Cert := certificates[len(certificates)-1]
+	x509Cert := certificates[0]
 	if x509Cert.IsCA {
-		return fmt.Errorf("Certificate bundle ends with a CA certificate")
+		return fmt.Errorf("Certificate bundle starts with a CA certificate")
 	}
 
 	encodedCert := base64.URLEncoding.EncodeToString(x509Cert.Raw)
@@ -225,9 +225,9 @@ func (c *Client) RenewCertificate(cert CertificateResource, revokeOld bool, bund
 		return CertificateResource{}, err
 	}
 
-	x509Cert := certificates[len(certificates)-1]
+	x509Cert := certificates[0]
 	if x509Cert.IsCA {
-		return CertificateResource{}, fmt.Errorf("[%s] Certificate bundle ends with a CA certificate", cert.Domain)
+		return CertificateResource{}, fmt.Errorf("[%s] Certificate bundle starts with a CA certificate", cert.Domain)
 	}
 
 	// This is just meant to be informal for the user.
@@ -269,16 +269,15 @@ func (c *Client) RenewCertificate(cert CertificateResource, revokeOld bool, bund
 			if err != nil {
 				// If we fail to aquire the issuer cert, return the issued certificate - do not fail.
 				logger().Printf("[%s] Could not bundle issuer certificate.\n%v", cert.Domain, err)
-				cert.Certificate = issuedCert
 			} else {
-				// Success - prepend the issuer cert to the issued cert.
+				// Success - append the issuer cert to the issued cert.
 				issuerCert = pemEncode(derCertificateBytes(issuerCert))
-				issuerCert = append(issuerCert, issuedCert...)
+				issuedCert = append(issuedCert, issuerCert...)
-				cert.Certificate = issuerCert
+				cert.Certificate = issuedCert
 			}
-		} else {
-			cert.Certificate = issuedCert
 		}
+
+		cert.Certificate = issuedCert
 		return cert, nil
 	}
 
@@ -482,16 +481,14 @@ func (c *Client) requestCertificate(authz *authorizationResource, result chan Ce
 					if err != nil {
 						// If we fail to aquire the issuer cert, return the issued certificate - do not fail.
 						logger().Printf("[%s] Could not bundle issuer certificate.\n%v", authz.Domain, err)
-						cerRes.Certificate = issuedCert
 					} else {
-						// Success - prepend the issuer cert to the issued cert.
+						// Success - append the issuer cert to the issued cert.
 						issuerCert = pemEncode(derCertificateBytes(issuerCert))
-						issuerCert = append(issuerCert, issuedCert...)
+						issuedCert = append(issuedCert, issuerCert...)
-						cerRes.Certificate = issuerCert
 					}
-				} else {
-					cerRes.Certificate = issuedCert
 				}
+
+				cerRes.Certificate = issuedCert
 				logger().Printf("[%s] Server responded with a certificate.", authz.Domain)
 				result <- cerRes
 				return

acme/crypto.go

@@ -61,17 +61,15 @@ func GetOCSPForCert(bundle []byte) ([]byte, error) {
 		}
 
 		// Insert it into the slice on position 0
-		// We want it ordered right CA -> CRT
+		// We want it ordered right SRV CRT -> CA
-		certificates = append(certificates, nil)
+		certificates = append(certificates, issuerCert)
-		copy(certificates[1:], certificates[0:])
-		certificates[0] = issuerCert
 	}
 
 	// We expect the certificate slice to be ordered downwards the chain.
-	// CA -> CRT. We need to pull the cert and issuer cert out of it, which should
+	// SRV CRT -> CA. We need to pull the cert and issuer cert out of it,
-	// always be the last two certificates.
+	// which should always be the last two certificates.
-	issuedCert := certificates[len(certificates)-1]
+	issuedCert := certificates[0]
-	issuerCert := certificates[len(certificates)-2]
+	issuerCert := certificates[1]
 
 	// Finally kick off the OCSP request.
 	ocspReq, err := ocsp.CreateRequest(issuedCert, issuerCert, nil)