preferredChain attribute on Clusterissuer doesn't pull ISRG X1 root certificate on lets-encrypt provider

Using the below ClusterIssuer with preferredChain ISRG Root X1 it is creating the default chain:
certigo dump cert.crt :
```
** CERTIFICATE 1 **
Input Format: PEM
Valid: 2023-11-13 19:40 UTC to 2024-02-11 19:40 UTC
Subject:
        CN="domain.domain"
Issuer:
        C=US, O=Let's Encrypt, CN=R3
DNS Names:
        "domain.domain"

** CERTIFICATE 2 **
Input Format: PEM
Valid: 2020-09-04 00:00 UTC to 2025-09-15 16:00 UTC
Subject:
        C=US, O=Let's Encrypt, CN=R3
Issuer:
        C=US, O=Internet Security Research Group, CN=ISRG Root X1

** CERTIFICATE 3 **
Input Format: PEM
Valid: 2021-01-20 19:14 UTC to 2024-09-30 18:14 UTC
Subject:
        C=US, O=Internet Security Research Group, CN=ISRG Root X1
Issuer:
        O=Digital Signature Trust Co., CN=DST Root CA X3
```
 code: 

```
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: lets-encrypt-production
spec:
  acme:
    email: 
    preferredChain: "ISRG Root X1"
    privateKeySecretRef:
      name: XXX
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
     ...
```
Certificate yaml:
```
  apiVersion: cert-manager.io/v1
  kind: Certificate
    name: certificate-test
    namespace: cert-manager
  spec:
    dnsNames:
    - 'domain.domain'
    issuerRef:
      group: cert-manager.io
      kind: ClusterIssuer
      name: lets-encrypt-production
    renewBefore: 360h0m0s
    secretName: XXX

```

**Expected behaviour**:
certigo dump cert.crt :

```
** CERTIFICATE 1 **
Input Format: PEM
Valid: 2023-11-13 19:40 UTC to 2024-02-11 19:40 UTC
Subject:
        CN="domain.domain"
Issuer:
        C=US, O=Let's Encrypt, CN=R3
DNS Names:
        "domain.domain"

** CERTIFICATE 2 **
Input Format: PEM
Valid: 2020-09-04 00:00 UTC to 2025-09-15 16:00 UTC
Subject:
        C=US, O=Let's Encrypt, CN=R3
Issuer:
        C=US, O=Internet Security Research Group, CN=ISRG Root X1

**Steps to reproduce the bug**:
1. Create a clusterIssuer with preferredChain "ISRG X1 root" and lets-encrypt provider

**Anything else we need to know?**:

**Environment details:**:
- Kubernetes version: v1.26.6
- Cloud-provider/provisioner: Azure/lets-encrypt
- cert-manager version: v1.13.2
- Install method: e.g. helm

/kind bug


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

preferredChain attribute on Clusterissuer doesn't pull ISRG X1 root certificate on lets-encrypt provider #6475

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

preferredChain attribute on Clusterissuer doesn't pull ISRG X1 root certificate on lets-encrypt provider #6475

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions