Have DAVE also trust Let's Encrypt CA
We’re told that https://tails.b.o will likely switch to Let’s Encrypt certificates around the end of the year, so DAVE needs to trust Let’s Encrypt CA somehow. Ideally, it would trust Let’s Encrypt current intermediate CA, instead of the DST root CA (see #11810 (closed) for details). But if this does not work, then DAVE needs to trust both the root CA currently used by Let’s Encrypt (i.e. the DST one) and Let’s Encrypt own root CA that will be used in the future.
Note the also in the ticket title: DAVE needs to keep trusting the
currently used CA until the tails.b.o webserver switches to the new one.
What needs to be done is to make it also trust the CA that will be
used in the future. I had a quick look at
conf.json and at first
glance, it looks like such CA transition processes are not supported,
which seems surprising to me given it’s a pretty common use case. I hope
I’m wrong, and even if I got it right, I hope that it’s easy to add
support for this use case :)
To ease development and testing, I’ve setup a descriptor on a web server that already uses Let’s Encrypt: https://labs.riseup.net/test/tails.boum.org/install/v1/Tails/i386/stable/latest.yml. So one should be able to test pinning changes against something that looks very much like our future production setup.
Parent Task: #11809 (closed)