PreferredChain behaviour for letsEncrypt certificates after february 8

[germanmichelena-dia]

On 11/02/2024 some letsencrypt certificates where updated in our cluster, and they were generated with the old certificate chain (signed by DST Root CA X3). We had configured as preferredChain in the clusterissuer "ISRG Root X1". It seems that after letsencrypt change in the default chain provided, the preferredChain configuration is not working properly.

https://community.letsencrypt.org/t/shortening-the-lets-encrypt-chain-of-trust/201580

To solve this, we removed the preferredChain configuration in the clusterissuer, and the certificate provided by letsencrypt was the right one (signed by ISRG Root X1). Is anyone else having this issue?

Our cert-manager version is 1.12.3

[inteon]

See #6755 (comment) for our current plan of action.
PTAL and let us know what you think @germanmichelena-dia

[germanmichelena-dia]

Thanks for the quick answer, I agree with the solution

[wallrj]

Let's leave this open and pin it so that users can read more about it, until until we implement the solution:

• bugfix: wrong certificate chain is used if preferredChain is configured #6755
• Document known issue: wrong certificate chain is used if preferredChain is configured website#1429