Hi Guilhem, Thank you for fixing the post-issuange logic.
The removal of the intermediate certificates (or not including the current ones) however is an issue as the server using the issued certificate still needs to provide them to the clients. Some clients may already have them, such as Firefox, but they don't seem to come in Debian ca-certificates.crt for instance. The result for other clients thus is a validation failure. While it's certainly possible for the lacme user to obtain these certificates directly from Let's encrypt, it'd be quite convenient to continue to provide them in the lacme package itself, even if the package does need to be updated from time to time for that reason. Or alternatively, download them automatically, which likely is error-prone as well unless Let's encrypt provides a canonical URL for them (which they probably do, at least for now). -- Kind regards, Sakari Ailus