I ran into this compatibility issue that require serving full chain of doamin cert + R3 + ISRG Root X1
Been googling and managed to get this work with manual TLS like below
tls:
certificates:
- certFile: /path/to/full.pem # concatenate domain cert + R3 + ISRG Root X1
keyFile: /path/to/key.pem
Issue is this won't auto-renew itself, so I was trying to certificatesResolvers to include Root CA into acme.json, but couldn't find much useful documentation or discussion.
Has anyone dealt with this before? Any help would be appreciated
Did more search and found this official LE post Production Chain Changes - API Announcements - Let's Encrypt Community Support
confirming my test results
Default chain: End-entity certificate ← R3 ← ISRG Root X1 ← DST Root CA X3
- This chain will remain compatible with many Android devices, thanks to the cross-sign!
The certResolver is for automatic TLS cert creation vie LetsEncrypt, it usually serves full certs. If you use custom TLS certs (like paid ones), then you need to make sure all 3 parts are included in the file loaded by Traefik.
Yes, but lets encrypt stop issuing full chain this Feb and in a transition now. This June, they will stop it completely, so no more support for old android device. I had a confirmation in their forum from staff