This is very similar to the certbot issue certbot/certbot/issues/8577
In the near future, Let's Encrypt intends to update the default and alternate chains that we provide. In short, we'll be offering two chains that users can choose between:
- Subscriber Cert <-- R3 <-- ISRG Root X1 <-- DST Root CA X3 (self-signed)
- Subscriber Cert <-- R3 <-- ISRG Root X1 (self-signed)
The alternate chain contains no unique names, so certbot users cannot select it using the current --preferred-chain mechanism.
Posh-ACME's PreferredChain option suffers from the same problem where if the value is found within the first chain, it won't ever select the alternate chains.
Based on the discussion in the certbot issue, I'm thinking of updating Posh-ACME so it will weight matches closer to the root as higher priority. So in the example above, "ISRG Root X1" would end up selecting the second chain rather than the first because that issuer is the root of the chain rather than second in the primary chain.
This is very similar to the certbot issue certbot/certbot/issues/8577
Posh-ACME's
PreferredChainoption suffers from the same problem where if the value is found within the first chain, it won't ever select the alternate chains.Based on the discussion in the certbot issue, I'm thinking of updating Posh-ACME so it will weight matches closer to the root as higher priority. So in the example above, "ISRG Root X1" would end up selecting the second chain rather than the first because that issuer is the root of the chain rather than second in the primary chain.