Generate Certificates without the "ISRG Root X1" chain to avoid expired errors

[TimoGlastra]

On september 30 the "DST Root CA X3" certificate from Let's Encrypt has expired (https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/). This is causing quite some issues in older clients, or clients that don't have a good path finding algorithm in place. This means you can get certificate expired errors even though there is another certificate chain that is valid.

My knowledge on this topic is really lacking, but from how I understand currently there are a few ways to solve this:

1. Disable the "DST Root CA X3" certificate on the client. As this needs to happen on any device this is not really a viable option.
2. Update the client to find the correct certificate. This is a viable option but requires all flawed clients to be updated, this is not always possible and will take a while.
3. Generate the certificate using shorter certificate chain. See this comment here or this post on the LE community forum.

Would it be possible to incorporate this preferred-chain strategy into the acme companion? Or at least make it an option. I tried looking for a call to certbot but couldn't find one, so I'm not sure what would be required to make that change.

The post mentioned the following command to use the shorter chain and overcome this issue:

sudo certbot certonly --nginx -d <domain> --preferred-chain "ISRG Root X1"
sudo service nginx restart

[buchdag]

Hi.

This feature is already part of the acme-companion : https://github.com/nginx-proxy/acme-companion/blob/main/docs/Let's-Encrypt-and-ACME.md#preferred-chain

[TimoGlastra]

I'm sorry for not finding that myself. Thank you!

[buchdag]

No worries 😄