Fullchain.pem still including root "ISRG Root X1" signed by "DST Root CA X3"

I'm using certbot with dns-standalone authenticator using the command:

certbot certonly --config-dir . --preferred-challenges dns --authenticator certbot-dns-standalone:dns-standalone -d sitename

This works fine but I just checked the fullchain.pem and it seems the root certificate in the chain is the

        Serial Number:
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
            Not Before: Jan 20 19:14:03 2021 GMT
            Not After : Sep 30 18:14:03 2024 GMT
        Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)

Any reason why this certificate that isn't the self signed CA one but still signed by DST Root CA X3 is still being used, as that is going to expire in a few months.

1 Like

Yes, here’s an explanation: Production Chain Changes


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.