Use Short/Alternate Chain by default


Running Certbot from a HAProxy server. Version details as follows:

Certbot version: 0.40.0
OS: Ubuntu 20.04.4 LTS
HAProxy: version 2.4.17-1ppa1~focal, released 2022/05/14

By default, we're generating new SSL certificates and renewals still including the expired intermediate. This is for older Android device support.

I believe that there is an alternate chain that can be used instead which omits this from the chain. I am wondering how I go about ensuring that the long chain is no longer used and only the short/alternate chain is going forward.

I came across this,

But I am not really finding any answers to how this can be achieved.

I am not expert with HAproxy. But, for most servers you can do it manually by removing the last cert in the fullchain.pem file. But, this is not the best because you need to do this manual step each time you renew the cert.

The best is to upgrade your certbot version. See for instructions on upgrading to snap version and removing your 0.40 version. Certbot v1.12 is needed to use this option which selects the short chain

--preferred-chain "ISRG Root X1"

You will lose compatibility for older Android - as you note. You may want to review this topic too


Thanks very much. So just so I've got this right,

To take care of renewals for example, I'd just amend part of our script from this:

/usr/bin/certbot certonly --dns-route53 --email -d * --agree-tos --non-interactive

To this instead:

/usr/bin/certbot certonly --dns-route53 --email -d * --agree-tos --non-interactive --preferred-chain "ISRG Root X1"


But I can only use this once I upgrade Certbot from 0.40.0 to v1.12 ?


1 Like



Really appreciate your support on this. Cheers.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.