Requesting a certificate for *.<MYDOMAIN.COM>
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/wildcard.<MYDOMAIN.COM>/fullchain.pem
Key is saved at: /etc/letsencrypt/live/wildcard.<MYDOMAIN.COM>/privkey.pem
This certificate expires on 2022-01-13.
Hello,
I was able to correctly generate a new certificate using the --preferred-chain "ISRG Root X1", but I see fullchain.pem doesn't contain the self-signed ISRG Root X1 CA certificate on it.
Am I missing any other option to concatenate that certificate to fullchain.pem? I'm aware the resulting file might have issues with some old devices, but I would like the fullchain.pem file to be really a full chain.
Root certificates are not usually included in chain files.
That's because the client already knows them - they're included in their trust store. Sending them would not help the client (sending self-signed certificates does not magically change the trust anchor of a client) and is just wasting bandwidth on every handshake.
Hence the fullchain.pem files never contain any root certificate. The default chain does not include DST Root CA X3 itself, and the alternate chain does not include ISRG Root X1 itself. This is intended.
That's to be expected. From the certbot documentation:
--preferred-chain PREFERRED_CHAIN
Set the preferred certificate chain. If the CA offers
multiple certificate chains, prefer the chain whose
topmost certificate was issued from this Subject
Common Name. If no match, the default offered chain
will be used. (default: None)
A certificate chain shouldn't contain the actual root it is chaining up to, just the intermediate which has the specific root as issuer.
I forgot the name, but I do know there's an application out there which demands the root being present too. However, that's just a silly decision by the developers, as explained perfectly by @Nummer378
