certgrinder: remove --alternate-chain option and make it the default …

…after LetsEncrypt switched on June 6th to using the shorter chain as default

client/certgrinder/certgrinder.py

@@ -56,7 +56,6 @@ class Certgrinder:
     def __init__(self) -> None:
         """Define the default config."""
         self.conf: typing.Dict[str, typing.Union[str, int, bool, typing.List[str]]] = {
-            "alternate-chain": False,
             "caa-validation-methods": "dns-01,http-01",
             "certgrinderd": "certgrinderd",
             "cert-renew-threshold-days": 30,
@@ -190,28 +189,14 @@ def configure(
                 "acme-server-url"
             ] = "https://acme-staging-v02.api.letsencrypt.org/directory"
             self.conf["invalid-ca-cn-list"] = []
-            # set preferred-chain based on the value of alternate-chain
-            if self.conf["alternate-chain"]:
-                # one intermediate
-                self.conf["preferred-chain"] = "Fake_LE_Root_X2"
-            else:
-                # two intermediates
-                self.conf["preferred-chain"] = "Fake_LE_Root_X1"
+            # one intermediate
+            self.conf["preferred-chain"] = "Fake_LE_Root_X2"
         else:
-            # set preferred-chain based on the value of alternate-chain
-            if self.conf["alternate-chain"]:
-                # the alternate chain has one intermediate
-                self.conf["preferred-chain"] = "ISRG_Root_X1"
-            else:
-                # the default chain has two intermediates
-                self.conf["preferred-chain"] = "DST_Root_CA_X3"
+            # the current LE chain has one intermediate
+            self.conf["preferred-chain"] = "ISRG_Root_X1"
 
-        if self.conf["preferred-chain"] in ["DST_Root_CA_X3", "Fake_LE_Root_X1"]:
-            # two intermediates
-            self.conf["expected-chain-length"] = 3
-        else:
-            # one intermediate
-            self.conf["expected-chain-length"] = 2
+        # one intermediate
+        self.conf["expected-chain-length"] = 2
 
         logger.debug(
             f"Certgrinder {__version__} configured OK - running with config: {self.conf}"
@@ -2064,14 +2049,6 @@ def get_parser() -> argparse.ArgumentParser:
     )
 
     # optional arguments
-    parser.add_argument(
-        "-a",
-        "--alternate-chain",
-        dest="alternate-chain",
-        action="store_true",
-        help="Use alternate chain. For production this means using the short chain with 1 intermediate signed by 'ISRG Root X1' instead of using the long chain with 2 intermediates signed by 'DST Root CA X3'. For staging it means using 'Fake LE Root X2' (1 intermediate) instead of the usual 'Fake LE Root X1' (2 intermediates).",
-        default=argparse.SUPPRESS,
-    )
     parser.add_argument(
         "--certgrinderd",
         dest="certgrinderd",

client/certgrinder/tests/test_certgrinder.py

@@ -132,10 +132,6 @@ def test_get_certificate(
         "--debug",
     ]
 
-    if pebble_server_run == "1":
-        # we are only expecting one intermediate, use alternate chain
-        mockargs.append("--alternate-chain")
-
     if certgrinderd_configfile[0] == "dns":
         # include a couple of post renew hook for one of the cert operations
         mockargs += ["--post-renew-hooks", "true", "--post-renew-hooks", "false"]
@@ -743,7 +739,6 @@ def test_parse_certificate_chain_not_pem(
             "path": str(tmpdir_factory.mktemp("certificates")),
             "domain-list": ["example.com,www.example.com"],
             "certgrinderd": "true",
-            "alternate-chain": True,
         }
     )
     csr = x509.load_pem_x509_csr(known_csr.encode("ascii"), default_backend())
@@ -794,7 +789,6 @@ def test_get_certificate_method(caplog, tmpdir_factory, known_csr, signed_certif
             "domain-list": ["example.com,www.example.com"],
             "certgrinderd": "true",
             "log-level": "DEBUG",
-            "alternate-chain": True,
         }
     )
     certgrinder.load_domainset(
@@ -1589,22 +1583,6 @@ def test_post_renew_hooks_dir_without_runner(tmpdir_factory, caplog):
     assert "Got exit code 1 when running post_renew_hook" in caplog.text
 
 
-def test_configure_staging_alternate_chain(tmpdir_factory):
-    """Test the configure() method with --staging and --alternate-chain."""
-    certgrinder = Certgrinder()
-    certgrinder.configure(
-        userconfig={
-            "path": str(tmpdir_factory.mktemp("certificates")),
-            "domain-list": ["example.com"],
-            "certgrinderd": "true",
-            "log-level": "DEBUG",
-            "staging": True,
-            "alternate-chain": True,
-        }
-    )
-    assert certgrinder.conf["preferred-chain"] == "Fake_LE_Root_X2"
-
-
 def test_load_certificates_broken_input(tmpdir_factory):
     """Test the load_certificates() method with some broken input."""
     certgrinder = Certgrinder()
@@ -1615,7 +1593,6 @@ def test_load_certificates_broken_input(tmpdir_factory):
             "certgrinderd": "true",
             "log-level": "DEBUG",
             "staging": True,
-            "alternate-chain": True,
         }
     )
     certgrinder.load_domainset(

conftest.py

@@ -65,8 +65,9 @@ def pebble_server_build(tmp_path_factory):
     return pebblepath
 
 
-# run pebble server with 1 and 2 intermediates
-@pytest.fixture(scope="session", params=["1", "2"])
+# run pebble server with 1 intermediate only
+# (this fixture used to run with 1 or 2 intermediates when LE had cross signing with longer chain)
+@pytest.fixture(scope="session", params=["1"])
 def pebble_server_run(request, pebble_server_build):
     """Run pebble server with primary or alternate chain as needed."""
     pebbleconfig = pebble_server_build / "test/config/pebble-config.json"

docs/certgrinder-changelog.rst

@@ -9,6 +9,15 @@ All notable changes to ``certgrinder`` will be documented in this file.
 
 This project adheres to `Semantic Versioning <http://semver.org/>`__.
 
+Unreleased
+----------
+
+Changed
+~~~~~~~
+- Update dependencies
+- Remove the ``--alternate-chain`` option (which made Certgrinder expect only one intermediate), since LetsEncrypt now uses the shorter chain as default (since June 6th 2024).
+
+
 v0.19.1 (11-mar-2024)
 ---------------------