acme: add preferred_chain option (!31) · Merge requests · Forge / infra / Ansible / Collections / acme

Charles Decoux requested to merge add-preferred-chain into master Feb 27, 2023

Let's Encrypt currently (cross)signs its certificates with both ISRG Root X1 and DST Root CA X3: https://community.letsencrypt.org/t/production-chain-changes/150739

This breaks on DoH/DoT servers used as Android Private DNS because Android excepts each single CA which signed/crosssigned the certificate to be valid, instead if it already met a well-known valid one during the bottom-up validation.

This MR adds the ability to configure a custom preferred chain globally or for each certificate.

Admin message

acme: add preferred_chain option

Merge request reports