diff --git a/packages/plugins/plugin-cert/src/plugin/cert-plugin/acme.ts b/packages/plugins/plugin-cert/src/plugin/cert-plugin/acme.ts
index 0362c6c9..8b5f04c7 100644
--- a/packages/plugins/plugin-cert/src/plugin/cert-plugin/acme.ts
+++ b/packages/plugins/plugin-cert/src/plugin/cert-plugin/acme.ts
@@ -329,8 +329,9 @@ export class AcmeService {
     isTest?: boolean;
     privateKeyType?: string;
     profile?: string;
+    preferredChain?: string;
   }): Promise<CertInfo> {
-    const { email, isTest, csrInfo, dnsProvider, domainsVerifyPlan, profile } = options;
+    const { email, isTest, csrInfo, dnsProvider, domainsVerifyPlan, profile, preferredChain } = options;
     const client: acme.Client = await this.getAcmeClient(email, isTest);
 
     let domains = options.domains;
@@ -404,6 +405,7 @@ export class AcmeService {
       },
       signal: this.options.signal,
       profile,
+      preferredChain,
     });
 
     const crtString = crt.toString();
diff --git a/packages/plugins/plugin-cert/src/plugin/cert-plugin/index.ts b/packages/plugins/plugin-cert/src/plugin/cert-plugin/index.ts
index 1b9e452d..1d608648 100644
--- a/packages/plugins/plugin-cert/src/plugin/cert-plugin/index.ts
+++ b/packages/plugins/plugin-cert/src/plugin/cert-plugin/index.ts
@@ -292,6 +292,29 @@ export class CertApplyPlugin extends CertApplyBasePlugin {
   })
   certProfile!: string;
 
+  @TaskInput({
+    title: "首选链",
+    value: "ISRG Root X1",
+    component: {
+      name: "a-select",
+      vModel: "value",
+      options: [
+        { value: "ISRG Root X1", label: "ISRG Root X1" },
+        { value: "ISRG Root X2", label: "ISRG Root X2" },
+      ],
+    },
+    helper: "仅 Let's Encrypt 可选，默认为 ISRG Root X1",
+    required: false,
+    mergeScript: `
+    return {
+        show: ctx.compute(({form})=>{
+            return form.sslProvider === 'letsencrypt'
+        })
+    }
+    `,
+  })
+  preferredChain!: string;
+
   @TaskInput({
     title: "使用代理",
     value: false,
@@ -438,6 +461,7 @@ export class CertApplyPlugin extends CertApplyBasePlugin {
         isTest: false,
         privateKeyType: this.privateKeyType,
         profile: this.certProfile,
+        preferredChain: this.preferredChain,
       });
 
       const certInfo = this.formatCerts(cert);
diff --git a/packages/ui/certd-server/src/modules/pipeline/service/pipeline-service.ts b/packages/ui/certd-server/src/modules/pipeline/service/pipeline-service.ts
index a4937cd0..3d5b9420 100644
--- a/packages/ui/certd-server/src/modules/pipeline/service/pipeline-service.ts
+++ b/packages/ui/certd-server/src/modules/pipeline/service/pipeline-service.ts
@@ -934,6 +934,7 @@ export class PipelineService extends BaseService<PipelineEntity> {
                     "sslProvider": "letsencrypt",
                     "privateKeyType": "rsa_2048",
                     "certProfile": "classic",
+                    "preferredChain": "ISRG Root X1",
                     "useProxy": false,
                     "skipLocalVerify": false,
                     "maxCheckRetryCount": 20,