Updating the clients will take a lot of time, so it would be good to temporarily get it working again with server side changes. In the explanation above, they say it should be possible to switch to the alternate certificate chain, which Caddy seems to support:
However, we will continue to provide the shorter chain as an alternate, which can be selected by ACME clients that have alternate chain support. To support OpenSSL versions older than 1.1.0, you should configure this shorter chain.This functionality is officially supported by ACME and is already implemented by clients like uacme, Caddy, and Certbot.
But I do not understand how to do that. Maybe somehow with tls.issuer.preferred_chains? But how exactly? Any hint would be very welcome.
Caddy will only get a new certificate once the current one is expiring, or if it is deleted (i.e. doesn’t have one). So if you need a completely different certificate right away, you can delete the current one.
If needed, you can force Caddy to use a specific chain like so:
The /data directory is where Caddy stores its certificates in the official Docker image. This would probably leak your certs and keys, unless I misunderstand your setup. Please be careful with this!!!
A better directory to use generally for static files is /srv.
I think it should not be a problem here since I’m not using the official Docker image. But thanks anyway for this hint, it’s good to know in case I migrate to the official image some day