If you want to check that the Certbot flag works as expected, one option is to spin up a small testing environment and test the flag using the 'ISRG Root X1' chain that Let's Encrypt will move to on January 11, 2021. If the test certificate correctly chains to ‘ISRG Root X1’, it should be sufficient to conclude that it will work if you set --preferred-chain "DST Root CA X3".
Another option if your certificate expires after January 11, 2021. You can renew your certificate with the --preferred-chain “DST Root CA X3” after the switchover date (possibly using the force-renewal option) and inspect that the new/renewed certificate is correct before using the cert and adding the flag to your renewal configuration. Although you’ll have to wait a few months to test and feel assured in the flag, this might be the best option. You can ensure you’ll have plenty of time to fix any problems by renewing your certificate just before the switchover date and get a certificate for 90 days where the default chain is the ‘DST Root CA X3’ then do the testing. Your plan might be something like this:
- January 1, 2021: renew/force-renew current certificate (chains by default to ‘DST Root CA X3’ for 90 days)
- January 12, 2021: renew/force-renew certificate in cert-only mode with
--preferred-chain “DST Root CA X3”(check for correct chain) - When testing is done: update Certbot renewal configuration to always specify the chain
Unfortunately this is a lot of manual, “remember this” work but once you finish testing it can be automated until ‘DST Root CA X3’ expires in September 2021. (edit: the cutover will be earlier see this post)
I think your Certbot logs should include information on the chain that you can review. Otherwise, you can use an openssl command to get the certificate chain of a cert file or look at the finer details in an ssllabs.com report for the domain (‘Certification Paths’) if your cert is being used by a web server.
Here is an example in SSL Labs of a cert that specifies the chain to ‘ISRG Root X1’ for https://valid-isrgrootx1.letsencrypt.org
