Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
General question, when we use Let's Encrypt staging with Cert-Manager, we now see the full Let's Encrypt staging CA bundles in the leaf-certificate's ca.crt field. It seems that up until recently, when using the staging env with CM that field was empty.
It's not a problem per-se, but was just curious if this was expected behavior that perhaps through some misconfiguration on our part we didn't notice until recently, or if it was a recent behavior change on the LE side.
We've been at CM 1.9.1 for a while now, so that hasn't change in our setups.
The only thing that comes to my mind is something about selecting the chain has changed in Cert-Manager. In Let's Encrypt production there is a default and alternate chain. Some ACME Clients allow choosing one or the other using the chain name.
A client could do this on staging too but the chain name is different. So you can get odd results using the production chain selection names when using staging.
Let's Encrypt recently announced plans for these chains to change in 2024. Perhaps Cert-Manager made some changes in anticipation? Or your config changed?