Not finding preferred-chain (but certbot does) (DNS challenge)

[damycra]

 docker run -it -v $(pwd)/lego:/.lego --env-file aws.env goacme/lego:v4.1.1 \
    --email=me+lego@example.com \
    --server=https://acme-staging-v02.api.letsencrypt.org/directory \
    --dns=route53 --domains=legotest.example.com run \
    --preferred-chain="Fake LE Root X2"

[data edited to remove specific domains]

Expected

 ...
 2020/11/20 14:53:36 [INFO] [legotest.example.com] Server responded with a certificate for the preferred certificate chains "**Fake LE Root X2**".

Actual

2020/11/20 14:06:37 No key found for account me+lego@example.com. Generating a P256 key.
2020/11/20 14:06:37 Saved key to /.lego/accounts/acme-staging-v02.api.letsencrypt.org/me+lego@example.com/keys/me+lego@example.com.key
2020/11/20 14:06:38 Please review the TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Do you accept the TOS? Y/n

2020/11/20 14:06:40 [INFO] acme: Registering account for me+lego@example.com
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2020/11/20 14:06:40 [INFO] [legotest.example.com] acme: Obtaining bundled SAN certificate
2020/11/20 14:06:40 [INFO] [legotest.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/158385252
2020/11/20 14:06:40 [INFO] [legotest.example.com] acme: Could not find solver for: tls-alpn-01
2020/11/20 14:06:40 [INFO] [legotest.example.com] acme: Could not find solver for: http-01
2020/11/20 14:06:40 [INFO] [legotest.example.com] acme: use dns-01 solver
2020/11/20 14:06:40 [INFO] [legotest.example.com] acme: Preparing to solve DNS-01
2020/11/20 14:06:41 [INFO] Wait for route53 [timeout: 2m0s, interval: 4s]
2020/11/20 14:07:29 [INFO] [legotest.example.com] acme: Trying to solve DNS-01
2020/11/20 14:07:29 [INFO] [legotest.example.com] acme: Checking DNS record propagation using [192.168.65.1:53]
2020/11/20 14:07:33 [INFO] Wait for propagation [timeout: 2m0s, interval: 4s]
2020/11/20 14:07:33 [INFO] [legotest.example.com] The server validated our request
2020/11/20 14:07:33 [INFO] [legotest.example.com] acme: Cleaning DNS-01 challenge
2020/11/20 14:07:34 [INFO] Wait for route53 [timeout: 2m0s, interval: 4s]
2020/11/20 14:08:09 [INFO] [legotest.example.com] acme: Validations succeeded; requesting certificates
2020/11/20 14:08:10 [INFO] lego has been configured to prefer certificate chains with issuer "**Fake LE Root X2**", but no chain from the CA matched this issuer. Using the default certificate chain instead.

Certbot example

docker run -it -v $(pwd)/var-log-le:/var/log/letsencrypt -v $(pwd)/etc-le:/etc/letsencrypt \ 
    --env-file aws.env certbot/dns-route53:v1.9.0 \
    certonly --preferred-chain "Fake LE Root X2" \
    --staging --dns-route53 -m me+certbotexample.com -d cb-test.example.com

tail -28 etc-le/live/cb-test.example.com/fullchain.pem | openssl x509 -text | grep -i fake

Issuer: CN=Fake LE Root X2
Subject: CN=Fake LE Intermediate X1

Happy to look into the code, but might need a couple of pointers! I assume the DNS challenge is irrelevant but it's the only one I have working here. I discovered this after trying to get traefik to use the preferredChain (with the live acme setup).

See also
LetsEncrypt post indicating the changes are live
PR 1227

[ldez]

Hello,

thank you very much for pointing out this problem, I don't understand why I didn't see the problem when merging the PR that introduce this. 😞

I fixed the issue in the PR #1298

[damycra]

Thanks for fixing it so quickly!Traefik itself was not logging (for me, at least), that the preferred chain was not being found which perhaps reduced visibility of the problem. Enjoy your weekend!