Now that the R3 intermediate is in place is the preferred-chain option live to allow clients to request the old DST chain?
I tried requesting a cert with the 'DST Root CA X3' chain using the certbot 1.10.1 client and it seems like the cert is still being issued by the new R3 intermediate.
I double-checked the debug log and the correct '--preferred-chain' argument is being parsed but when I look at the cert issued it still shows:
$ openssl x509 -in cert2.pem -text -noout | grep -i iss
Issuer: C=US, O=Let's Encrypt, CN=R3
CA Issuers - URI:http://r3.i.lencr.org/
$ more /var/log/letsencrypt/letsencrypt.log
2020-12-21 14:13:53,705:DEBUG:certbot._internal.main:Arguments: ['--manual', '--preferred-challenges', 'dns', '--force-renewal', '--preferred-chain', 'DST Root CA X3', '--manual-auth-hook'
$ ./certbot --version
certbot 1.10.1