Fix missing issuer certificates from Let's Encrypt (#587)

2018-06-30 17:35:39 -07:00 · 2018-06-30 17:35:39 -07:00 · e0d512138c
commit e0d512138c
parent 3a1c6202f6
1 changed files with 11 additions and 2 deletions
--- a/acme/client.go
+++ b/acme/client.go
@ -5,6 +5,7 @@ import (
 	"crypto"
 	"crypto/x509"
 	"encoding/base64"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"io/ioutil"
@ -762,8 +763,9 @@ func (c *Client) checkCertResponse(order orderMessage, certRes *CertificateResou
 			return false, err
 		}

-		// The issuer certificate link is always supplied via an "up" link
-		// in the response headers of a new certificate.
+		// The issuer certificate link may be supplied via an "up" link
+		// in the response headers of a new certificate.  See
+		// https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-7.4.2
 		links := parseLinks(resp.Header["Link"])
 		if link, ok := links["up"]; ok {
 			issuerCert, err := c.getIssuerCertificate(link)
@ -782,6 +784,13 @@ func (c *Client) checkCertResponse(order orderMessage, certRes *CertificateResou

 				certRes.IssuerCertificate = issuerCert
 			}
+		} else {
+			// Get issuerCert from bundled response from Let's Encrypt
+			// See https://community.letsencrypt.org/t/acme-v2-no-up-link-in-response/64962
+			_, rest := pem.Decode(cert)
+			if rest != nil {
+				certRes.IssuerCertificate = rest
+			}
 		}

 		certRes.Certificate = cert