Just a quick note for CentOS 7 users: I pushed a certbot update yesterday so that you can choose the shorter chain via
--preferred-chain. Currently the update is in epel-testing so you need to tell
yum to use that repo explicitely.
The update will be available in the regular stable repo in two weeks. You can help getting it into stable by installing the update from
epel-testing and leave positive karma there.
More details how to get the update via Fedora bodhi.
Of course I'm still planning to update certbot in EPEL 7 to a much newer version but that is not as easy as we have to transition to Python 3 as a precondition. If you like to know more about the challenge please read my recent post in RHEL/CentOS 7 OpenSSL client compatibility after new chain.
Btw: I'd love to get some regular testers for certbot updates in Fedora/CentOS. Of course we are running certbot's test suite before every release but there are no functional tests. Most certbot updates are pushed to stable without anyone executing certbot even once. So far stuff "just worked" but at some point we might push a broken update just because nobody spent time to test the updates. Even just running certbot on your servers for a few days and checking that regular renewals work would be helpful.
If you have any ideas how I could facilitate a tester community please let me know. For example I could send a post to this forum once we have a new update ready.