Then I manually paste the DNS TXT challenge records to my provider's DNS zone tool, and I successfully get the certificates. However, the certificates get signed by the deprecated X3/R3 certificate.
When I activate the new certificates on my Webserver I still get the issues.
I just tried to do the same from my local machine (macOS 11.*, certbot 1.19.0) -> same issue
I tested it with certbot 1.19.0, probably this is a bug as the ISRG Root X1 should be used by default now.
The solution is to add --preferred-chain "ISRG Root X1" as parameter. This will sign the certificate with the correct root certificate. I found this solution in another thread.
Older certbot versions do not support the --preferred-chain parameter, so I had to update certbot first.
@hdepp I was going to try your command but I do not understand the syntax for -d that you show. Why are there empty domains noted by the consecutive commas and what is the purpose of the oddly quoted string following the first -d?
Is that specific syntax necessary to produce the result you see?
@rg305 Yeah, likely, still the commas are odd and why quotes are there at all with one set of -d and not the other is odd.
I do not think the command is resulting in the wrong chain. But, before I spend time experimenting with their command I would like to know the actual format