Let's Encrypt Certificates not working on older Android devices

[rrooggiieerr]

Describe the issue you are experiencing

Older Android devices are not working with the SSL certificates created by the Let's Encrypt add-on because the add-on uses the "ISRG Root X1" preferred chain. If it would use the default preferred chain being "DST Root CA X3" older Android devices would be able to use the SSL certificates.

What type of installation are you running?

Home Assistant OS

Which operating system are you running on?

Home Assistant Operating System

Which add-on are you reporting an issue with?

Let's Encrypt

What is the version of the add-on?

4.12.7

Steps to reproduce the issue

Use an old Android device and browse to an SSL enabled HA instance, it wont't work. Create an SSL certificate using the "DST Root CA X3" default chain and you can connect using SSL

System Health information

System Information

version	core-2022.12.0
installation_type	Home Assistant OS
dev	false
hassio	true
docker	true
user	root
virtualenv	false
python_version	3.10.7
os_name	Linux
os_version	5.15.61-v8
arch	aarch64
timezone	Europe/Amsterdam
config_dir	/config

Home Assistant Community Store

GitHub API	ok
GitHub Content	ok
GitHub Web	ok
GitHub API Calls Remaining	4934
Installed Version	1.28.4
Stage	running
Available Repositories	1153
Downloaded Repositories	9

Home Assistant Cloud

logged_in	false
can_reach_cert_server	ok
can_reach_cloud_auth	ok
can_reach_cloud	ok

Home Assistant Supervisor

host_os	Home Assistant OS 9.3
update_channel	stable
supervisor_version	supervisor-2022.11.2
agent_version	1.4.1
docker_version	20.10.18
disk_total	57.8 GB
disk_used	11.7 GB
healthy	true
supported	true
board	rpi4-64
supervisor_api	ok
version_api	ok
installed_addons	File editor (5.4.2), Terminal & SSH (9.6.1), Home Assistant Google Drive Backup (0.109.2), Let's Encrypt (4.12.7)

Dashboards

dashboards	1
resources	2
views	11
mode	storage

Recorder

oldest_recorder_run	November 28, 2022 at 19:49
current_recorder_run	December 8, 2022 at 21:44
estimated_db_size	547.85 MiB
database_engine	sqlite
database_version	3.38.5

Anything in the Supervisor logs that might be useful for us?

No response

Anything in the add-on logs that might be useful for us?

No response

Additional information

No response

[rrooggiieerr]

This file has the --preferred-chain option for certbot.
https://github.com/home-assistant/addons/blob/master/letsencrypt/rootfs/etc/services.d/lets-encrypt/run

If there "DST Root CA X3" would be the value instead of "ISRG Root X1" older Android devices would also be able to work with the certificates.

If there would be a configuration option, maybe only visible when "Show unused optional configuration options" is enabled, where the preferred chain could be configured that would also be a nice option.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[rrooggiieerr]

I have created a pull request which solves the matter, but it has not been accepted yet

[darth-aragoth]

Are there any changes in this matter?