With '--preferred-chain "ISRG Root X1"' fullchain.pem doesn't contain the ISRG Root X1 certificate

I ran this command:

docker run --env-file ./env.list -v ~/tmp:/etc/letsencrypt certbot/dns-route53:v1.20.0 certonly --preferred-chain "ISRG Root X1" --dns-route53 --dns-route53-propagation-seconds 30 --email <REMOVED> -n --agree-tos --cert-name wildcard.<MYDOMAIN.COM> -d "*.<MYDOMAIN.COM>"

It produced this output:

Requesting a certificate for *.<MYDOMAIN.COM>

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/wildcard.<MYDOMAIN.COM>/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/wildcard.<MYDOMAIN.COM>/privkey.pem
This certificate expires on 2022-01-13.


I was able to correctly generate a new certificate using the --preferred-chain "ISRG Root X1", but I see fullchain.pem doesn't contain the self-signed ISRG Root X1 CA certificate on it.

Am I missing any other option to concatenate that certificate to fullchain.pem? I'm aware the resulting file might have issues with some old devices, but I would like the fullchain.pem file to be really a full chain.

Thanks in advance.

Root certificates are not usually included in chain files.

That's because the client already knows them - they're included in their trust store. Sending them would not help the client (sending self-signed certificates does not magically change the trust anchor of a client) and is just wasting bandwidth on every handshake.

Hence the fullchain.pem files never contain any root certificate. The default chain does not include DST Root CA X3 itself, and the alternate chain does not include ISRG Root X1 itself. This is intended.


That's to be expected. From the certbot documentation:

--preferred-chain PREFERRED_CHAIN
    Set the preferred certificate chain. If the CA offers
    multiple certificate chains, prefer the chain whose
    topmost certificate was issued from this Subject
    Common Name. If no match, the default offered chain
    will be used. (default: None)

A certificate chain shouldn't contain the actual root it is chaining up to, just the intermediate which has the specific root as issuer.


Ok I see, I had the wrong assumption that a full chain that included the CA would be helpful to some clients, so it was always better to include it.

Thanks for the answers! I'm much more clear now.


I forgot the name, but I do know there's an application out there which demands the root being present too. However, that's just a silly decision by the developers, as explained perfectly by @Nummer378

But by far most clients don't require it.




Noooo Rudy I don't wanna hear it :grimacing: :shushing_face:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.