On Tue, Oct 11, 2022 at 04:37:44PM -0400, Viktor Dukhovni wrote: > > Do I have to worry? > > If Android clients aren't a concern for your MTA, you should perhaps > configure your ACME client (e.g. certbot) to build a chain file without > the cross certificate. Details on the letsencrypt.org website: > > https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ > https://community.letsencrypt.org/t/production-chain-changes/150739 > https://community.letsencrypt.org/t/certbot-1-6-0-release/127841 > > So at least once: > > # certbot renew --preferred-chain "ISRG Root X1" --force-renew > > and then ideally it will keep using it going forward. Haven't delved > into the details...
Just tried it, and, at least for me, certbot made the choice stick. The renewal/<domain>.conf file was updated: [renewalparams] reuse_key = True account = <censored> authenticator = webroot webroot_path = /var/www, server = https://acme-v02.api.letsencrypt.org/directory preferred_chain = ISRG Root X1 -- Viktor.