I am looking for a way to obtain a certificate chain through Let's Encrypt that does not append a cross-signed ISRG Root X1 certificate at the end. Right now, when requesting a certificate for a domain using the latest acme.sh client, I receive a certificate chain which includes a ISRG Root X1 that is cross-signed by the DST Root CA X3, for Android compatibility I presume.
Sources on the web, like the OpenSSL compatibility blog entry here: Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2 - OpenSSL Blog (Workaround #3) suggest to "Configure the server to use the alternative certificate chain which can be requested from Let’s Encrypt with most up-to-date ACME protocol clients." which, I guess, translates to the "preferred chain" option that was implemented in most clients a while back.
My problem is that both using --preferred-chain "ISRG Root X1" or --preferred-chain "DST Root CA X3" will produce me a certificate chain that contains the cross-signed X1 CA cert.
I could manually edit the resulting cert chain and remove or replace the offending X1 CA cert with a non-cross-signed one (e.g. taken from the Let's Encrypt website) but I'd prefer to request a proper one in the first place.
Is there any "preferred chain" value that will tell the Let's Encrypt servers to produce a chain that contains a non-cross-signed ISRG Root X1? Or am I facing a potential client specific issue?
For reference, there's also a pending issue against acme.sh describing my particular problem:
I am not interested in extended Android compatibility but I need to support (unmodified) OpenSSL 1.0.2 clients as well as older wolfSSL clients that exhibit similar logic problems as OpenSSL 1.0.2 (rejecting the entire cert because one of the alternative chains is expired).
What certbot version are you using? Using --preferred-chain "ISRG Root X1" will get you the leaf < R3 < ISRG Root X1 chain you are looking for for certbot versions 1.12.0 and newer
Thank you, it works for me too, now. My mistake was trying to switch the preferred chain during a certificate update, I had to re-issue the certificate completely instead of updating it (in acme.sh terms) for the setting to become effective.