I have been using "ISRG Root X2" with acme.sh since the beginning, just curious if it is still needed after so many years, I switched to tlsserver profile and wondering if it still provides the shortest ECDSA chain if I omit the X2 flag in new servers. Just wanted to know if just using "tlsserver" profile flag is good enough for the short ECDSA only chain.
Thanks.
The default chain is still to X1 no matter which profile or key type you use as documented at Chains of Trust - Let's Encrypt under each intermediate certificate.
Specifying X2 is typically required for the shortest generally trusted chain. YE/YR (at least until a few days ago) could be used as the root certificate for the chain, however they're not generally trusted as root certificates at the moment so the shortest chain might not be suitable.
New chain Y is also the reason I asked this question. Chains change all the time and I think there should be a flag just to request the short ECDSA only chain irrespective of chain in use. Like acme.sh --chain-ecdsa and Letsencrypt offers the ECDSA only certificate. Letsencrypt should do something about it.
Let's Encrypt doesn't directly choose which certificate chain to use. Instead through the ACME protocol, a list of chains is presented to the client (with one preferred chain) and the client has to choose a chain to use.
Clients are free to select which chain to use and caddy currently supports something similar to what you're suggesting through the preferred_chains smallest option. (Global options (Caddyfile) — Caddy Documentation)
YE/YR are currently the reason I do not suggest using the shortest chain as the certificates are missing from almost all root trust stores.
The generation Y roots have not been submitted to any root program yet, so they shouldn't be included anywhere yet.
This is why there has to be an option for selecting a dedicated chain. Letsencrypt forced automation by issuing 90 days certificate but there is no way to set a preferred chain, the current solution is to change the name in the preferred chain for every server. Once the post quantum chain comes you have to do it all over again.
There should be something similar to this for ECDSA or PQ. acme.sh --preferred-chain "ECDSA"