ISRG Root X1 in chain.pem?


#1

I’m using certbot to renew our certificate. Currently the chain.pem is delivered with DST Root CA X3 in the chain.pem.
Are there anyway to instruct certbot to put ISRG Root X1 in the chain instead?
Will ISRG Root X1 become the default in chain.pem at some point in time?


#2

Hi,

I don’t see any way to do that currently. (I may be wrong)
I believe the chain.pem will ship with ISRG once the ISRG became the signing root…

Thank you


#3

Technically, they are both the “signing root” :slightly_smiling_face:


#4

That’s not entirely correct. chain.pem contains the intermediate certificate, which is signed by the root certificate. Currently, the X3 intermediate signed by the DST Root CA X3-certificate is used indeed.

As far as I know, @stevenzhu is correct. The ACME protocol used by Let’s Encrypt (and therefore used by certbot) instructs (and provides) the client which intermediate certificate is used for the issued certificate. It doesn’t have a feature to select your own. However, certbot has some options which can run scripts so you might be able to “build” your own fullchain.pem with the X3 intermediate signed by ISRG Root X1. See for more info the Renewal section of the certbot manual for the hook options and the Chain of Trust page on the Let’s Encrypt site for the intermediate signed by the ISRG Root.


#5

Hi @vedstesen

the curious thing: Same website, FireFox shows the ISRG Root, Chrome shows the DST Root.

But the server sends only the intermediate signed with the DST Root.


#6

@JuergenAuer, this might be explained somehow in

https://www.rfc-editor.org/rfc/rfc4158.txt