#932590 Please provide Let's Encrypt CA (in known location)

#932590#5
Date:
2019-07-20 22:23:47 UTC
From:
To:
Hi.  I have what may seem a slightly strange request.

Can you please have ca-certificates provide the Let's Encrypt CA cert
- currently, the intermediate cert, and in due course their master
root cert, in a specific location in the package ?

I want this to help secure access to a Debian-provided service
(the ftpmaster data API service https://api.ftp-master.debian.org/)
when is accessed by dgit on a Debian sysem.

intrigeri suggested (#932570) that a way to help do this would be to
pin dgit's uses of TLS to the LE CA.  To do this dgit needs to find a
copy of the LE CA cert.

It seems to us that the best way for this to be provided would
be as part of ca-certificates.

It's true that this involves treating LE rather specially.  But LE is
indeed special because it is the CA we use for Debian-provided
services.

What do you think ?

Thanks,
Ian.

#932590#12
Date:
2021-01-20 10:46:08 UTC
From:
To:
If dgit wants to pin a service to a certain CA, it seems to me dgit is
best placed to ship that pinned CA itself, rather than rely on
ca-certificates, whose purpose is essentially to provide trust anchors
for the web pki, not any particular service.  (You'd probably want to
check with the operators of the service that they're OK with pinning it
to a particular CA, or set of CAs, for however long it'll live in that
package.)

Cheers,
Julien