Android below 7 stop after certbot renew --preferred-chain "ISRG Root X1" --force-renewal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: certbot renew --preferred-chain "ISRG Root X1" --force-renewal

It produced this output:

My web server is (include version): Ubuntu 16.04

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

After running certbot renew --preferred-chain "ISRG Root X1" --force-renewal chrome on android below 7.1 not work. Then I run certbot renew --preferred-chain "DST Root CA X3" --force-renewal now its start working on android below but now it fails in Window 7 Chrome.
What should I do so that it start working on both Window 7 and Android below 7.1

Only using --preferred-chain "DST Root CA X3" will work for Android versions older than 7.1.1. Please see Extending Android Device Compatibility for Let's Encrypt Certificates - Let's Encrypt for more information about Android compatibility and the role of the certificate chain.

For compatibility with Windows 7 you can search this Community for a lot of information. Personally I have not bookmarked helpful posts I'm afraid, so I cannot help you with that.

1 Like

--preferred-chain "DST Root CA X3 also work on above android 7 and Window above 7. It only fail on Window 7. I have search this form but do not find solution yet.

@joginder89 to solve Windows 7 issues you have several options:

1.- Use an updated Firefox (or at least version 50) as far as I know ISRG Root X1 certificate was added to Firefox in that version.

2.- For some reason Windows 7 is not lazy-loading ISRG Root X1 certificate, maybe because you have turned off updates (even whether Windows 7 is not receiving more updates, it receives them for Trust Stores)... or for whatever reason, so you could try to install it manually, you could use this reg file to do it easier Fixing Windows installs that don't receive updates to their trusted roots - #29 by rmbolger

3.- I don't like this one but you could use another CA to obtain your certificates.


1 Like

@rmbolger has written a piece of the DST Root CA X3 expiry for Windows PCs on Let's Encrypt DST Root CA X3 expiry Sept 30th 2021 | Certify The Web Docs but it doesn't look like it's Windows 7 specific.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.