Select preferred alternate certificate chain by CN of the rootmost certificate only #4505
Description
Currently users can specify preferred alternate ACME cert chain by setting issuers.spec.acme.preferredChain on an ACME issuer. If this field is set, cert-manager will, after the ACME order has been finalized, retrieve all alternate chains, loop through all certs in each and, once it finds a cert with a common name that matches the spec.acme.preferredChain, it will return that alternate chain. This means that if an ACME server returns two alternate chains such as X<-Y<-Z and X<-Y, there is no good way to request the shorter chain as it does not have a unique common name.
This could be fixed by looking only at the root most cert of each alternate chain, similarly to the fix implemented in certbot#8596
Note: the cert chains being looked at to find the preferred chain only includes the alternate chains, so this bug would only cause issues in scenarios where an alternate chain is a subset of another alternate chain not of the current preferred chain (so for example trying to select the current LE alternate chain would not be affected)
See also https://kubernetes.slack.com/archives/CDEQJ0Q8M/p1633614233284000
/kind bug