@samspin, I don’t believe that fullchain.pem
references the ISRG root. I originally wrote the code that originally creates it and the definition of fullchain.pem
was cert.pem
and chain.pem
in a single file. The fullchain.pem
file is intended for using in Nginx and Apache 2.4 (and other web servers that expect the end-entity certificate and certificate chain to be provided in a single file), while chain.pem
and cert.pem
are intended for Apache 2.2 (and other web servers that expect the end-entity certificate and certificate chain to be provided in separate files).
Currently both files should be based on the same chain provided by the Let’s Encrypt CA, which would use the IdenTrust signature rather than the Let’s Encrypt root signature (if that’s changed at some point, please let me know!).