lnobach
commented
1 year ago dns3ld relies on go-acme/lego's obtaining method.
Here, the certificate chain is entirely built from information provided by the ACME provider.
Function getAll and subfunctions traverse the server's issuer certificates whose URL
is indicated by an up link in the HTTP headers of their child certificates.
See RFC 8555, Section 7.4.2
We need to understand how daemons ACME client lib is retrieving and building the chain.
This is important to know to be able to manage and tackle issues where CA chain is impacted e.g. https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/