Running Certbot from a HAProxy server. Version details as follows:
Certbot version: 0.40.0
OS: Ubuntu 20.04.4 LTS
HAProxy: version 2.4.17-1ppa1~focal, released 2022/05/14
Only just recently realised that something very unexpected is happening. When we're generating a new cert. let's say for example for a brand new customer such as backoffice.viajesmax.com it created the usual files in /etc/letsencrypt/live/backoffice.viajesmax.com
So that is to say,
README, cert.pem, chain.pem, fullchain.pem, privkey.pem
When inspecting the contents of fullchain.pem this is what is included.
From top to bottom,
- Actual server certificate
- Valid Intermediate Cert
- Invalid Intermediate Cert
I will attach a screenshot of what number 3 (bottom cert of fullchain.pem looks like). I don't understand why this would be happening.
Why would Certbot try to add this to the end of fullchain.pem ? I can't seem to work it out. It looks like an old Intermediate Cert that still references the expired DST Root CA.
Is it something on our HAProxy server that is causing Certbot to do this maybe?