Feature #11814

Have DAVE also trust Let's Encrypt CA

Added by intrigeri 2016-09-20 03:02:01 . Updated 2017-12-16 07:37:06 .

Target version:
Start date:
Due date:
% Done:


Feature Branch:
Type of work:

Affected tool:
Deliverable for:


We’re told that https://tails.b.o will likely switch to Let’s Encrypt certificates around the end of the year, so DAVE needs to trust Let’s Encrypt CA somehow. Ideally, it would trust Let’s Encrypt current intermediate CA, instead of the DST root CA (see Feature #11810 for details). But if this does not work, then DAVE needs to trust both the root CA currently used by Let’s Encrypt (i.e. the DST one) and Let’s Encrypt own root CA that will be used in the future.

Note the also in the ticket title: DAVE needs to keep trusting the currently used CA until the tails.b.o webserver switches to the new one. What needs to be done is to make it also trust the CA that will be used in the future. I had a quick look at conf.json and at first glance, it looks like such CA transition processes are not supported, which seems surprising to me given it’s a pretty common use case. I hope I’m wrong, and even if I got it right, I hope that it’s easy to add support for this use case :)

To ease development and testing, I’ve setup a descriptor on a web server that already uses Let’s Encrypt: https://labs.riseup.net/test/tails.boum.org/install/v1/Tails/i386/stable/latest.yml. So one should be able to test pinning changes against something that looks very much like our future production setup.



#1 Updated by intrigeri 2016-09-20 03:08:30

  • Subject changed from Have DAVE trust Let's Encrypt CA to Have DAVE also trust Let's Encrypt CA
  • Description updated

#2 Updated by intrigeri 2016-09-20 03:39:20

  • Assignee set to ma1

Hi Giorgio! Do you think you can take care of this in October?

#3 Updated by ma1 2016-09-20 05:27:31

intrigeri wrote:
> Hi Giorgio! Do you think you can take care of this in October?

Sure, I’ll do it.

#4 Updated by intrigeri 2016-09-20 05:52:15

> Sure, I’ll do it.

Thanks a lot!

#5 Updated by ma1 2016-11-04 16:51:06

  • Assignee changed from ma1 to intrigeri
  • QA Check set to Ready for QA

Done in https://git-tails.immerda.ch/ma1/download-and-verify-extension/commit/?id=512e12c26d7700cd9f1993cb455eae112bc949d9

I’m about to release 2.8 on AMO with this feature.

#6 Updated by intrigeri 2016-11-05 14:00:48

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 50

#7 Updated by intrigeri 2016-11-09 09:47:39

  • Status changed from In Progress to Resolved
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

Looks good to me, thanks!

#8 Updated by intrigeri 2016-11-09 09:47:51

  • Assignee deleted (intrigeri)

#9 Updated by intrigeri 2017-12-16 07:37:06

  • Affected tool deleted (Download and Verification Extension)