On Tue, Oct 11, 2022 at 04:37:44PM -0400, Viktor Dukhovni wrote:
> > Do I have to worry?
>
> If Android clients aren't a concern for your MTA, you should perhaps
> configure your ACME client (e.g. certbot) to build a chain file without
> the cross certificate. Details on the letsencrypt.org website:
>
> https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
> https://community.letsencrypt.org/t/production-chain-changes/150739
> https://community.letsencrypt.org/t/certbot-1-6-0-release/127841
>
> So at least once:
>
> # certbot renew --preferred-chain "ISRG Root X1" --force-renew
>
> and then ideally it will keep using it going forward. Haven't delved
> into the details...
Just tried it, and, at least for me, certbot made the choice stick. The
renewal/<domain>.conf file was updated:
[renewalparams]
reuse_key = True
account = <censored>
authenticator = webroot
webroot_path = /var/www,
server = https://acme-v02.api.letsencrypt.org/directory
preferred_chain = ISRG Root X1
--
Viktor.
