Fix missing issuer certificates from Let's Encrypt (#587)

go-acme · Jul 1, 2018 · e0d5121 · e0d5121
1 parent 3a1c620
commit e0d5121
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/acme/client.go b/acme/client.go
@@ -5,6 +5,7 @@ import (
 	"crypto"
 	"crypto/x509"
 	"encoding/base64"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"io/ioutil"
@@ -762,8 +763,9 @@ func (c *Client) checkCertResponse(order orderMessage, certRes *CertificateResou
 			return false, err
 		}
 
-		// The issuer certificate link is always supplied via an "up" link
-		// in the response headers of a new certificate.
+		// The issuer certificate link may be supplied via an "up" link
+		// in the response headers of a new certificate.  See
+		// https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-7.4.2
 		links := parseLinks(resp.Header["Link"])
 		if link, ok := links["up"]; ok {
 			issuerCert, err := c.getIssuerCertificate(link)
@@ -782,6 +784,13 @@ func (c *Client) checkCertResponse(order orderMessage, certRes *CertificateResou
 
 				certRes.IssuerCertificate = issuerCert
 			}
+		} else {
+			// Get issuerCert from bundled response from Let's Encrypt
+			// See https://community.letsencrypt.org/t/acme-v2-no-up-link-in-response/64962
+			_, rest := pem.Decode(cert)
+			if rest != nil {
+				certRes.IssuerCertificate = rest
+			}
 		}
 
 		certRes.Certificate = cert