Feature #11809: Deal with tails.b.o's X.509 certificate expiring early 2017
Have DAVE also trust Let's Encrypt CA
We're told that https://tails.b.o will likely switch to Let's Encrypt certificates around the end of the year, so DAVE needs to trust Let's Encrypt CA somehow. Ideally, it would trust Let's Encrypt current intermediate CA, instead of the DST root CA (see #11810 for details). But if this does not work, then DAVE needs to trust both the root CA currently used by Let's Encrypt (i.e. the DST one) and Let's Encrypt own root CA that will be used in the future.
Note the also in the ticket title: DAVE needs to keep trusting the currently used CA until the tails.b.o webserver switches to the new one. What needs to be done is to make it also trust the CA that will be used in the future. I had a quick look at
conf.json and at first glance, it looks like such CA transition processes are not supported, which seems surprising to me given it's a pretty common use case. I hope I'm wrong, and even if I got it right, I hope that it's easy to add support for this use case :)
To ease development and testing, I've setup a descriptor on a web server that already uses Let's Encrypt: https://labs.riseup.net/test/tails.boum.org/install/v1/Tails/i386/stable/latest.yml. So one should be able to test pinning changes against something that looks very much like our future production setup.
#5 Updated by ma1 about 3 years ago
- Assignee changed from ma1 to intrigeri
- QA Check set to Ready for QA
I'm about to release 2.8 on AMO with this feature.