Home / server / Questions / 1029789
Accepted
Ondřej Míchal
Asked: 2020-08-13 01:34:53 +0800 CST

How to change the default certificate chain in Kubernetes Ingress

  • 772

I'm using AKS on Azure and Ingress with Let's Encrypt certificate (configured by https://docs.microsoft.com/en-us/azure/aks/ingress-static-ip)

The certificate chain defaults to DST Root CA X3 but I would like to change it to alternative ISRG Root X1

https://letsencrypt.org/certificates/#cross-signing says

Almost all server operators will choose to serve a chain including the intermediate certificate with Subject “Let’s Encrypt Authority X3” and Issuer “DST Root CA X3.”

Can you tell me, how can I change the default intermediate certificate to Let’s Encrypt Authority X3 (Signed by ISRG Root X1)?

I know ISRG Root X1 should become default on September 29, 2020 (https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html) so I can just wait (not optimal). But after that this can be useful for someone who needs to keep DST Root CA X3

kubernetes lets-encrypt ingress

2 Answers

  1. Best Answer

    If you are using cert-manager, optional control of the intermediate certificate isn't available yet.

    That doesn't stop you from issuing your own certificate with certbot which has added support to select the chain and installing that on the ingress.

    certbot ... --preferred-chain "ISRG Root X1"

    Any unknown value for preferred-chain will give you the default chain.

    • 2

  2. Perhaps a spot late, but this is supported now. You can configure your issuer like this:

    apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    preferredChain: "ISRG Root X1"

    See this page for more

    • 1