On Wed, Jun 15, 2022 at 01:56:59AM +0530, P V Anthony wrote:
> > * The "Let's Encrypt CA" chain is configured for compatibility with
> > legacy Android systems that trust the expired "DST" root CA:
> >
> > subject=CN = prometheus.mindmedia.com.sg
> > issuer=C = US, O = Let's Encrypt, CN = R3
> >
> > subject=C = US, O = Let's Encrypt, CN = R3
> > issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1
> >
> > subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1
> > issuer=O = Digital Signature Trust Co., CN = DST Root CA X3
> >
> > You may have better luck by configuring "certbot" or similar to
> > build a chain that avoids the ISRG -> DST cross cert.
>
> More Google searching on how to do this.
Either add the option:
--preferred-chain "ISRG Root X1"
to your cron job running "certbot renew", or else add the following to
configuration under
/etc/letsencrypt/renewal/,
preferred_chain = ISRG Root X1
--
Viktor.
