Hello,

I've been making certificates using win-acme. The web server is 4D. Validation is DNS with DreamHost.

Some SSL checkers say the certificate chain is fine and others report that a valid Root CA could not be located. Why? Geocerts is one of them.

Domain is simon4d.bel.com. Note that this is a different server entirely than bel.com, but that hasn't mattered before.

Is it that some validation tools don't trust ISRG Root X1? Can I create certificates which use ISRG Root X2 instead?

I'm creating PEM files with the win-acme tool, and 4D uses the full chain and key files. I am not modifying them.

That root certificate is more recent and therefore even less well trusted. Besides, it's also cross-signed by ISRG Root X1, so that little fact isn't of that importance.

No it doesn't. Your server at simon4d.bel.com is only sending the leaf certificate. It might be configured (I dunno) to "see" the full chain, but it isn't using it entirely.

Don't ask me how to change that, as I don't have experience with 4D, win-acme or Windows in general nowadays.