The decision to override the defualt intermediate (as of July 8, 2019) is driven by a desire for websites using these certificates to retain maximum device compatibility (for example, with very old Android devices).
Once the cross-signed intermediate is expired, the plugin will automatically fall back to using the default (signed by ISRG Root X1) intermediate.
FEATURE: The ssl renew CLI has two new flags:
--dry-run : Performs a dry-run of renewal. By default, for all domains in the cPanel user’s account.
--virtualhost : Limits the renewal or dry-run to a specific virtualhost.
FIX: Fix a case where issuing a wildcard certificate would result in two certificates being issued.
This would only happen when a cPanel account has a wildcard virtualhost in addition to the base virtualhost, e.g. example.com AND *.example.com.
When encountering this ambiguity, the plugin will now choose the intended virtualhost correctly and only issue one certificate.
FIX: Dry-runs now deactivate their ACME authorizations once they have completed.
This avoids successful authorizations being re-used during subsequent dry-runs.This previously cause dry-runs to succeed without actually testing anything.
FIX: DNS-01 validations now create TXT records with a TTL of 1 second (previously 360 seconds).
This fixes a case where if a specific domain name is involved in two certificate issuances less than 60 seconds apart (for example, this can happen with wildcards), the DNS-01 verification process could fail.