We've noticed that certificates issued on sandbox issued by the new YR cert do not have the same chain certs in the generated cert as when issued in production.
The cross signed ISRG Root YR is not included the chain on the production API.
Is that by design?
a) it is creating confusion when testing a change in sandbox which will then go into production and will result in different behavior
b) why isn't the Root YR included in the chain anyway? This is breaking trust in certain services/environments.
Sorry but I don't quite understand what you mean. Let's Encrypt does not have a "Sandbox" although it has a Staging system for test certs. Is that what you mean?
I just got a cert from Staging and Production and the chains look the same to me. Except of course that the Staging certs are not publicly trusted.
# STAGING (shortlived profile)
subject=
issuer=C=US, O=Let's Encrypt, CN=(STAGING) Artificial Amaranth YE1
subject=C=US, O=Let's Encrypt, CN=(STAGING) Artificial Amaranth YE1
issuer=C=US, O=ISRG, CN=(STAGING) Yearning Yucca Root YE
subject=C=US, O=ISRG, CN=(STAGING) Yearning Yucca Root YE
issuer=C=US, O=(STAGING) Internet Security Research Group, CN=(STAGING) Bogus Broccoli X2
subject=C=US, O=(STAGING) Internet Security Research Group, CN=(STAGING) Bogus Broccoli X2
issuer=C=US, O=(STAGING) Internet Security Research Group, CN=(STAGING) Pretend Pear X1
# PRODUCTION (shortlived profile)
subject=
issuer=C=US, O=Let's Encrypt, CN=YE1
subject=C=US, O=Let's Encrypt, CN=YE1
issuer=C=US, O=ISRG, CN=Root YE
subject=C=US, O=ISRG, CN=Root YE
issuer=C=US, O=Internet Security Research Group, CN=ISRG Root X2
subject=C=US, O=Internet Security Research Group, CN=ISRG Root X2
issuer=C=US, O=Internet Security Research Group, CN=ISRG Root X1