Option to setup preferred-chain

[LanThrusteR]

Is there any option to setup preferred chain?

like
./certbot certonly --apache -d ${DOMAIN} --dry-run --preferred-chain="ISRG Root X1"

with DST Root CA X3 now expired ?

[do-know]

I believe this might be what you're looking for:

https://github.com/do-know/Crypt-LE#alternative-certificates-support

But let me know if it's not.

[LanThrusteR]

That 's not what I meant. I'm not sure if it's by design but Crypt::LE enforces an alternative LE chain. It means that (currently expired) DST root cert is not used in Crypt::LE generated certs

`

• Certificate type: X.509
• Got a certificate list of 2 certificates.
• Certificate[0] info:
• subject CN=somesite.ru', issuer C=US,O=Let's Encrypt,CN=R3', RSA key 4096 bits, signed using RSA-SHA256, activated 2021-10-06 09:17:45 UTC', expires 2022-01-04 09:17:44 UTC', SHA-1 fingerprint `9d937626d3fda258c0911b80fbecf17c63ea0c1f'
• Certificate[1] info:
• subject C=US,O=Let's Encrypt,CN=R3', issuer C=US,O=Internet Security Research Group,CN=ISRG Root X1', RSA key 2048 bits, signed using RSA-SHA256, activated 2020-09-04 00:00:00 UTC', expires 2025-09-15 16:00:00 UTC', SHA-1 fingerprint a053375bfe84e8b748782c7cee15827a6af5a405'

LE cert with DST
`

• Certificate type: X.509
• Got a certificate list of 3 certificates.
• Certificate[0] info:
• subject CN=othersite.com', issuer C=US,O=Let's Encrypt,CN=R3', RSA key 2048 bits, signed using RSA-SHA256, activated 2021-09-19 22:02:46 UTC', expires 2021-12-18 22:02:45 UTC', SHA-1 fingerprint `326914f12c9330d49b7ed00ea4dc56eed525a49c'
• Certificate[1] info:
• subject C=US,O=Let's Encrypt,CN=R3', issuer C=US,O=Internet Security Research Group,CN=ISRG Root X1', RSA key 2048 bits, signed using RSA-SHA256, activated 2020-09-04 00:00:00 UTC', expires 2025-09-15 16:00:00 UTC', SHA-1 fingerprint `a053375bfe84e8b748782c7cee15827a6af5a405'
• Certificate[2] info:
• subject C=US,O=Internet Security Research Group,CN=ISRG Root X1', issuer O=Digital Signature Trust Co.,CN=DST Root CA X3', RSA key 4096 bits, signed using RSA-SHA256, activated 2021-01-20 19:14:03 UTC', expires 2024-09-30 18:14:03 UTC', SHA-1 fingerprint 933c6ddee95c9c41a40f9f50493d82be03ad87bf'

currently that is a good thing because DST root has expired on 30th of September,

But just for the record

• if Crypt::LE was always enforcing a new alternative chain of trust then a lot of old Android devices were not able to connect to the websites with certs generated by LE::Crypt (and they are currently unable to do it right now)

So an option is required to use DST -> ISRG -> Client authority chain (which is default for certbot)

Please don't change the current default (ISRG Self Signed -> ISRG -> Client)

In short: certbot defaults to : DST -> ISRG -> Client chain when requesting cert from LE and requires an option
--preferred-chain="ISRG Root X1" to use the alternative chain without now expired DST

Crypt::LE defaults to ISRG Self Signed ->ISRG -> Client (an alternative chain) and requires an option to go with DST -> ISRG -> Client

Both chains has pros and cons, but JFTR Crypt::LE defaults to the option that turn of a majority of old android devices so may be an option is required to go with DST...