[feature request] Allow users to choose shorter or alternate chain while issuing certificates

Use case : This is a peculiar use case. I want to run dns-over-tls servers on fly.io and let fly handle tls termination at edge and app handle dns resolution.

It works on every clients except on Android while using private dns feature.

  1. DNS over TLS on Android breaks with the default trust chain.
  2. DNS over TLS on Android only works with the trust chain that consists of only valid certificates.

Because fly issued letsencrypt certificates default chain consist of -

  • End-entity certificate (aka leaf certificate), signed by R3
  • R3, signed by ISRG Root X1
  • ISRG Root X1, signed by DST Root CA X3

When you include “ISRG Root X1, signed by DST Root CA X3” in default chain, dns over TLS on Android fails to verify it.

You can circumvent this problem by using alternative chain by passing --preferred-chain "ISRG Root X1" to certbort or acme clients and the chain issued be like -

  • End-entity certificate, signed by R3
  • R3, signed by ISRG Root X1

More on this topic -

1 Like

Oh, cool idea! We’re always interested in hearing more about what people are trying to build on our platform. Do you have this app running on our platform right now?

In any case, thank you for bringing this up, and for taking the time to write up a thorough report of the problem! I’ll be sure to surface this to the rest of our team :slightly_smiling_face:

I’ll have this running up in couple of hours and ping you here.

@eli , it is up and running now. App name is morning-bird-5848. Easiest way to check is through Do a Query or any other client you prefer :sweat_smile:

Neat, thank you for sending that over! I’ve made sure to share the specifics with the rest of the team as well :slightly_smiling_face:

(As an aside: thanks also for the link to the getdns api, which likewise looks super useful)

You might have already seen this, but after digging into this issue a bit, I can see that this fix to Android did get released after all, in version 11. I hope that this is at least slightly better news!

On the topic of additional features for fly certs, there’s been some interest from the community in BYO certs that you might find interesting, since being able to import your own certificate might be a tolerable workaround :sweat_smile:

1 Like

@eli, any update on this?

We run DoT on Fly and to make it work with Android 10 and lower, we resort to importing ZeroSSL certs and terminating TLS ourselves.

Yup, for both DoT & DoH I do my own termination with letsencrypt certificates :sweat_smile:

1 Like