diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml
index 710a2e6..705acbe 100644
--- a/roles/letsencrypt/defaults/main.yml
+++ b/roles/letsencrypt/defaults/main.yml
@@ -16,6 +16,14 @@ letsencrypt_challenge: http
 # letsencrypt_dns_provider: gandi
 # letsencrypt_dns_provider_options: '--api-protocol=rest'
 # letsencrypt_dns_auth_token: XXXX
+
+# Specify a preferred chain of intermediate certs
+# If not specified, it'll use the short ISRG Root X1 chain
+# (not signed with the expired DST Root CA X3)
+# The special value "default" means to omit the directive, and use the default
+# dehydrated value
+# letsencrypt_preferred_chain: default
+
 #
 letsencrypt_certs: []
 # letsencrypt_certs:
diff --git a/roles/letsencrypt/templates/config.j2 b/roles/letsencrypt/templates/config.j2
index 40554b6..afaf8cc 100644
--- a/roles/letsencrypt/templates/config.j2
+++ b/roles/letsencrypt/templates/config.j2
@@ -10,7 +10,11 @@ KEYSIZE="{{ letsencrypt_key_size | default('4096') }}"
 HOOK=/usr/{{ (ansible_os_family == 'Debian') | ternary('local/','') }}bin/dehydrated_hooks
 RENEW_DAYS="{{ letsencrypt_renew_days | default('30') }}"
 PRIVATE_KEY_RENEW="yes"
+{% if letsencrypt_preferred_chain is not defined %}
 PREFERRED_CHAIN="{{ letsencrypt_openssl_version.stdout is version('1.1', '>=') | ternary('ISRG Root X1','issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1') }}"
+{% elif letsencrypt_preferred_chain != 'default' %}
+PREFERRED_CHAIN={{ letsencrypt_preferred_chain | quote }}
+{% endif %}
 {% if letsencrypt_key_algo | default('rsa') in ['rsa', 'prime256v1', 'secp384r1' ] %}
 KEY_ALGO={{ letsencrypt_key_algo | default('rsa') }}
 {% endif %}