I've been trying to run the certbot command with the option --preferred-chain "ISRG Root X1" but this option still returns the same chain.pem as it does if I leave the command off, and the chain continues to contain the DST X3 cross signature version of the ISGR Root X1 certificate. There are no errors reported. If I use a deliberately bogus version of the option, certbot generates a warning:
Certbot has been configured to prefer certificate chains with issuer 'self-signed', but no chain from the CA matched this issuer. Using the default certificate chain instead.
If I don't include the option at all (including stripping it from the renewal configuration) it still gives the same chain.pem.
Is there some secret way to get the chain without the cross-signing or is this a bug?
@Phil I was testing from certbot-1.9.0-1.el7.noarch from EPEL on a CentOS 7 server. I just checked and I saw that's quite outdated so I installed certbot 1.19.0 via snap. Upon re-testing, it appears the issue is fixed somewhere between 1.9 and 1.19. It's interesting because the option appears to be supported in 1.9 even though it doesn't work. Thanks for making me check the version!
My icon is indeed from SimCity 2000, though with some filtering and upscaling.