Setting the preferredChain to "ISRG Root X1" using the ACME provider still picks the old root certificate

[pgier]

Describe the bug:

I'm trying to get a certificate which doesn't require me to use the --insecure option with curl and other clients.
Here's my Issuer config:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt
  namespace: opensearch
spec:
  acme:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # Try using this chain because the default one is expired
    preferredChain: "ISRG Root X1"
    # Email address used for ACME registration
    email: me@example.com
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: my-acme-key
    # Enable the DNS-01 challenge provider
    solvers:
    # An empty 'selector' means that this solver matches all domains
    - selector: {}
      dns01:
        route53:
          accessKeyID: <mykey>
          region: us-east-2
          secretAccessKeySecretRef:
            key: secret-access-key
            name: route53-credentials-secret

Sending a GET request to my server configured with this certificate gives me an SSL error.

curl: (60) SSL certificate problem: unable to get local issuer certificate

Using the openssl command

openssl s_client -connect my-server.example.com

Shows the following certificate chain

CONNECTED(00000005)
---
Certificate chain
 0 s:/CN=my-server.example.com
   i:/C=US/O=(STAGING) Let's Encrypt/CN=(STAGING) Artificial Apricot R3
 1 s:/C=US/O=(STAGING) Let's Encrypt/CN=(STAGING) Artificial Apricot R3
   i:/C=US/O=(STAGING) Internet Security Research Group/CN=(STAGING) Pretend Pear X1
 2 s:/C=US/O=(STAGING) Internet Security Research Group/CN=(STAGING) Pretend Pear X1
   i:/C=US/O=(STAGING) Internet Security Research Group/CN=(STAGING) Doctored Durian Root CA X3

Expected behaviour:
I expected the last certificate in the chain to be the ISRG Root X1 one, but it seems to be the same whether I use the
preferredChain setting or not.

Environment details::

• Kubernetes version: 1.21
• Cloud-provider/provisioner: GCP
• cert-manager version: 1.7.0
• Install method: helm

/kind bug

I saw two similar issues #4413 and #4491 but they seem to have been closed without any specific fix.

[pgier]

I think I found the problem. When I changed from using the staging server:

server: https://acme-staging-v02.api.letsencrypt.org/directory

To the prod server:

server: https://acme-v02.api.letsencrypt.org/directory

The problem disappeared. It seems that the preferredChain setting doesn't work with the staging
server. It would probably be good to add a note about this in the docs, this drove me crazy for several hours :(

[irbekrm]

It seems that the preferredChain setting doesn't work with the staging
server

It should work with any ACME implementation.
LetsEncrypt staging server though does not use the same root/intermediate certs as their prod server, see staging cert hierarchy, prod cert hierarchy. (We don't link those in our docs as the ACME issuer is not LetsEncrypt specific).

[pgier]

@irbekrm Thanks, your explanation makes sense, I'll close the issue.