Ca.crt and staging env

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

General question, when we use Let's Encrypt staging with Cert-Manager, we now see the full Let's Encrypt staging CA bundles in the leaf-certificate's ca.crt field. It seems that up until recently, when using the staging env with CM that field was empty.

It's not a problem per-se, but was just curious if this was expected behavior that perhaps through some misconfiguration on our part we didn't notice until recently, or if it was a recent behavior change on the LE side.

We've been at CM 1.9.1 for a while now, so that hasn't change in our setups.


1 Like

The only thing that comes to my mind is something about selecting the chain has changed in Cert-Manager. In Let's Encrypt production there is a default and alternate chain. Some ACME Clients allow choosing one or the other using the chain name.

A client could do this on staging too but the chain name is different. So you can get odd results using the production chain selection names when using staging.

Let's Encrypt recently announced plans for these chains to change in 2024. Perhaps Cert-Manager made some changes in anticipation? Or your config changed?


I wonder if it's tied to this: Small change to end entity certificates: CPS URL and OID will not be included from June 15 - #5 by mcpherrinm

Perhaps removing the OID and URL from the certificate is having an effect on the display?


I think this was all my bad. ACME Issuers don't create a ca.crt field with the root signing CA as it's not part of the protocol.

Yeah. That's why I think it may be a display issue, possibly linked to the change above.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.