Thanks for your support in this matter, @rg305
You are totally right, manually replacing the chain.pem won't do in a fully automatized environment. Therefore, a colleague of mine used the snap version of certbot on centos7 and receives a different chain.pem:
# openssl crl2pkcs7 -nocrl -certfile chain.pem | openssl pkcs7 -noout -print_certs
subject=/C=US/O=Let's Encrypt/CN=R3
issuer=/C=US/O=Internet Security Research Group/CN=ISRG Root X1
subject=/C=US/O=Internet Security Research Group/CN=ISRG Root X1
issuer=/C=US/O=Internet Security Research Group/CN=ISRG Root X1
When I request a certificate using the --preferred-chain "ISRG Root X1" switch on centos7 and the certbot installed via epel repo I get the following chain.pem:
# openssl crl2pkcs7 -nocrl -certfile 0000_chain.pem | openssl pkcs7 -noout -print_certs
subject=/C=US/O=Let's Encrypt/CN=R3
issuer=/C=US/O=Internet Security Research Group/CN=ISRG Root X1
subject=/C=US/O=Internet Security Research Group/CN=ISRG Root X1
issuer=/O=Digital Signature Trust Co./CN=DST Root CA X3
The exact command used was:
sudo certbot certonly --standalone --non-interactive --agree-tos --preferred-chain "ISRG Root X1" --email valid-email@example.com --csr request.pem
In my naive, ideal world I would expect the same result of the snap and epel installed certbot client?! Did I miss something along the way?
Thanks!