ACME self signed ISRG Root X1 certificate

The ACME interface is returning a certificate chain using the ISRG Root X1 cross signed by the DST Root CA X3 certificate.

Is there a way to get the self signed ISRG Root X1 certificate chain? Without the expired DST Root CA X3 certificate in the chain.

I am using the terraform ACME client (provider).

I'm afraid you're mistaken. The Production ACME endpoint is currently serving the short, modern, "alternate" chain that ends with ISRG Root X1.

You can double check here:


I'm not sure if they're talking about the endpoint itself, but rather about the certificates returned by the endpoint.

If you want to use the shorter chain, you need to request what Let's Encrypt calls the "alternate chain". Some ACME clients have an option usually called "preferred-chain", that allows you to specify what chain you want. I'm not familiar with terraform, so no idea.

1 Like

I think in this case the chain being talked about is the default chain one gets when requesting a certificate, rather than the chain used to talk to the API itself to do so. It's kind of confusing, and probably needs some better standardized terminology.

In terms of the question, I'm not really familiar with terraform much either, is there some documentation about this ACME client that it's using? Hopefully it has this "preferred chain" or "alternate chain" option for you.


Is this the terraform provider you're using?

It does appear to support a preferred_chain option you can use and even mentions how to select the Let's Encrypt alternate chain in both Prod and Staging environments.


Thanks very much - this is just what I'm after. I should have read the provider documents more closely.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.