diff --git a/core/base/requirements-prod.txt b/core/base/requirements-prod.txt
index 1883b906..5bd0c5a1 100644
--- a/core/base/requirements-prod.txt
+++ b/core/base/requirements-prod.txt
@@ -12,7 +12,7 @@ cffi==1.16.0
 charset-normalizer==3.3.2
 click==8.1.7
 colorclass==2.2.2
-cryptography==41.0.7
+cryptography==42.0.5
 defusedxml==0.7.1
 Deprecated==1.2.14
 dnspython==2.5.0
diff --git a/core/nginx/config.py b/core/nginx/config.py
index 4ddc1733..73cc085c 100755
--- a/core/nginx/config.py
+++ b/core/nginx/config.py
@@ -92,7 +92,11 @@ def format_for_nginx(fullchain, output, strip_CA=args.get('LETSENCRYPT_SHORTCHAI
         chain = x509.load_pem_x509_certificates(f.read())
     builder = PolicyBuilder().store(Store([ISRG_ROOT_X1, ISRG_ROOT_X2]))
     verifier = builder.build_server_verifier(DNSName(chain[0].subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value))
-    valid_chain = verifier.verify(chain[0], chain[1:])
+    try:
+        valid_chain = verifier.verify(chain[0], chain[1:])
+    except Exception as e:
+        log.error(e)
+        valid_chain = chain
     log.info(f'The certificate chain looks as follows for {fullchain}:')
     indent = '  '
     has_found_PIN = False
@@ -113,7 +117,7 @@ def format_for_nginx(fullchain, output, strip_CA=args.get('LETSENCRYPT_SHORTCHAI
         for cert in valid_chain:
             if strip_CA and (cert.subject.rfc4514_string() in ['CN=ISRG Root X1,O=Internet Security Research Group,C=US', 'CN=ISRG Root X2,O=Internet Security Research Group,C=US']):
                 continue
-            f.write(f'{cert.public_bytes(encoding=Encoding.PEM).decode("ascii").strip()}')
+            f.write(f'{cert.public_bytes(encoding=Encoding.PEM).decode("ascii").strip()}\n')
 
 if args['TLS_FLAVOR'] in ['letsencrypt', 'mail-letsencrypt']:
     format_for_nginx('/certs/letsencrypt/live/mailu/fullchain.pem', '/certs/letsencrypt/live/mailu/nginx-chain.pem')
@@ -131,4 +135,4 @@ conf.jinja("/conf/proxy.conf", args, "/etc/nginx/proxy.conf")
 conf.jinja("/conf/nginx.conf", args, "/etc/nginx/nginx.conf")
 conf.jinja("/dovecot_conf/login.lua", args, "/etc/dovecot/login.lua")
 conf.jinja("/dovecot_conf/proxy.conf", args, "/etc/dovecot/proxy.conf")
-os.system("killall -HUP nginx dovecot")
+os.system("killall -q -HUP nginx dovecot")
diff --git a/core/nginx/letsencrypt.py b/core/nginx/letsencrypt.py
index e3d53f2f..a8abbee7 100755
--- a/core/nginx/letsencrypt.py
+++ b/core/nginx/letsencrypt.py
@@ -23,7 +23,6 @@ command = [
     "--keep-until-expiring",
     "--allow-subset-of-names",
     "--renew-with-new-domains",
-    "--preferred-chain 'ISRG Root X1'",
     "--config-dir", "/certs/letsencrypt",
     "--post-hook", "/config.py"
 ]
@@ -39,7 +38,6 @@ command2 = [
     "--allow-subset-of-names",
     "--key-type", "ecdsa",
     "--renew-with-new-domains",
-    "--preferred-chain 'ISRG Root X1'",
     "--config-dir", "/certs/letsencrypt",
     "--post-hook", "/config.py"
 ]