i am using lets-encrypt-certs for my mailserver and clients.
A special email-client “The Bat” needs the Lets-encrypt Root-Certificate to trust the cert.
So i manually need to download “DSTRootCAX3.crt” and put it into the chain.
The problem is, that on auto-renewing by certbot, this needs to be done manually after the cronjob.
How can i automatically let the Root-Cert be inserted by certbot on renewing?
Including the root certificate is pointless, so Certbot is never going to do it by default. You can add a deploy hook to achieve that effect, though.
This will create a hook at /etc/letsencrypt/renewal-hooks/deploy/add-root.sh, which will produce a fullchain-with-root.pem variant after every renewal or issuance: