From e45031ca0ddc8f9b7b9a7bae381650b3c9309a23 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Sat, 7 Nov 2020 14:45:05 +0000
Subject: [PATCH] Tell certbot to prefer the legacy "DST Root CA X3" chain

---
 cookbooks/letsencrypt/files/default/bin/renew       | 1 +
 cookbooks/letsencrypt/templates/default/request.erb | 1 +
 2 files changed, 2 insertions(+)

diff --git a/cookbooks/letsencrypt/files/default/bin/renew b/cookbooks/letsencrypt/files/default/bin/renew
index 6a0482185..2b7e6b4a8 100755
--- a/cookbooks/letsencrypt/files/default/bin/renew
+++ b/cookbooks/letsencrypt/files/default/bin/renew
@@ -4,6 +4,7 @@ cd /srv/acme.openstreetmap.org
 
 /usr/bin/certbot renew \
     --quiet \
+    --preferred-chain "DST Root CA X3" \
     --config-dir /srv/acme.openstreetmap.org/config \
     --work-dir /srv/acme.openstreetmap.org/work \
     --logs-dir /srv/acme.openstreetmap.org/logs \
diff --git a/cookbooks/letsencrypt/templates/default/request.erb b/cookbooks/letsencrypt/templates/default/request.erb
index eaefa5bbe..365b315a7 100644
--- a/cookbooks/letsencrypt/templates/default/request.erb
+++ b/cookbooks/letsencrypt/templates/default/request.erb
@@ -4,6 +4,7 @@
 
 /usr/bin/certbot certonly \
     --non-interactive \
+    --preferred-chain "DST Root CA X3" \
     --config-dir /srv/acme.openstreetmap.org/config \
     --work-dir /srv/acme.openstreetmap.org/work \
     --logs-dir /srv/acme.openstreetmap.org/logs \
-- 
2.43.2