This looks like it’s caused by the client rather than the CA server. Let’s Encrypt will happily accept self-signed, expired or otherwise invalid certificates for HTTPS redirects when using http-01 as long as they’re not weird enough to cause Go’s X509 library to choke (and the cipher suite is compatible).
1 Like