Today, I recently ran into a problem where a freshly issued Let’s Encrypt certificate was issued from the YE2 hierarchy. SSL Labs reported the certificate as untrusted, Firefox showed SEC_ERROR_UNKNOWN_ISSUER, and OpenSSL failed to build a trusted chain.
My Caddy configuration contained:
preferred_chains smallest
After removing that option, deleting the affected certificate from Caddy’s storage, and restarting Caddy, Caddy immediately obtained a new certificate. The replacement certificate was issued from the YE1 hierarchy and validated correctly in Firefox, OpenSSL, and SSL Labs.
I have not fully investigated whether this is related to the current state of trust store support for the newer YE2 hierarchy or to chain selection behaviour, but if you encounter similar validation errors, it may be worth testing without preferred_chains smallest.
In my case, removing that setting completely resolved the issue.
For anyone wanting to see what the problem looked like before the fix, I still have another host currently exhibiting the same behaviour: