Howto obtain a full certificate chain without a cross-signed ISRG Root X1


I am looking for a way to obtain a certificate chain through Let's Encrypt that does not append a cross-signed ISRG Root X1 certificate at the end. Right now, when requesting a certificate for a domain using the latest client, I receive a certificate chain which includes a ISRG Root X1 that is cross-signed by the DST Root CA X3, for Android compatibility I presume.

Sources on the web, like the OpenSSL compatibility blog entry here: Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2 - OpenSSL Blog (Workaround #3) suggest to "Configure the server to use the alternative certificate chain which can be requested from Let’s Encrypt with most up-to-date ACME protocol clients." which, I guess, translates to the "preferred chain" option that was implemented in most clients a while back.

My problem is that both using --preferred-chain "ISRG Root X1" or --preferred-chain "DST Root CA X3" will produce me a certificate chain that contains the cross-signed X1 CA cert.

I could manually edit the resulting cert chain and remove or replace the offending X1 CA cert with a non-cross-signed one (e.g. taken from the Let's Encrypt website) but I'd prefer to request a proper one in the first place.

Is there any "preferred chain" value that will tell the Let's Encrypt servers to produce a chain that contains a non-cross-signed ISRG Root X1? Or am I facing a potential client specific issue?

For reference, there's also a pending issue against describing my particular problem:

I am not interested in extended Android compatibility but I need to support (unmodified) OpenSSL 1.0.2 clients as well as older wolfSSL clients that exhibit similar logic problems as OpenSSL 1.0.2 (rejecting the entire cert because one of the alternative chains is expired).

1 Like

What certbot version are you using? Using --preferred-chain "ISRG Root X1" will get you the leaf < R3 < ISRG Root X1 chain you are looking for for certbot versions 1.12.0 and newer


Thank you, it works for me too, now. My mistake was trying to switch the preferred chain during a certificate update, I had to re-issue the certificate completely instead of updating it (in terms) for the setting to become effective.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.