FYI the feature is now enabled in both staging in production.
Certbot is the only client I know so far that has implemented the chain selection, you can check out how it was implemented in my PR here: https://github.com/certbot/certbot/pull/8080
Staging roots:
- Fake LE Root X1 (default)
- Fake LE Root X2
Production roots:
- DST Root CA X3 (default)
- ISRG Root X1
Test drive the functionality with:
certbot certonly --staging --preferred-chain "Fake LE Root X2" -d example.com
To apply a change globally for future renewals, you can add it to one of the cli.ini
locations:
$ cat /etc/letsencrypt/cli.ini
preferred-chain = Fake LE Root X2
If you specify an issuer that does not exist, Certbot will complain when running interactively:
Certbot has been configured to prefer certificate chains with issuer 'Fake LE Root xyxy', but no chain from the CA matched this issuer. Using the default certificate chain instead.