Running Certbot from a HAProxy server. Version details as follows:
Certbot version: 0.40.0 OS: Ubuntu 20.04.4 LTS HAProxy: version 2.4.17-1ppa1~focal, released 2022/05/14
By default, we're generating new SSL certificates and renewals still including the expired intermediate. This is for older Android device support.
I believe that there is an alternate chain that can be used instead which omits this from the chain. I am wondering how I go about ensuring that the long chain is no longer used and only the short/alternate chain is going forward.
I came across this,
But I am not really finding any answers to how this can be achieved.
I am not expert with HAproxy. But, for most servers you can do it manually by removing the last cert in the fullchain.pem file. But, this is not the best because you need to do this manual step each time you renew the cert.
The best is to upgrade your certbot version. See certbot.eff.org for instructions on upgrading to snap version and removing your 0.40 version. Certbot v1.12 is needed to use this option which selects the short chain
--preferred-chain "ISRG Root X1"
You will lose compatibility for older Android - as you note. You may want to review this topic too