I am the IT Support contact for my company, our customers use API's to send data to use using one of the three domains above.
Recently a small number of our customers APIs have stopped sending through files due to the recent certificate rotations, we have advised them of the certificate change but their concerns are that they will now have to manually update the certificates every 90 days.
We believe there should be a way for our customers to automate this process, accepting a new certificate when the old one expires but this is currently the stumbling block.
My understanding of the process is limited, hence this post, so apologies if this is wrong. Our customers API installs the ISRG Root X1 certificate and the domain certificate, question is when the domain certificate expires what does our customers API need to then do to automatically accept the new rotated domain certificate?
Your company is offering an API server, using Let's Encrypt certificates;
Your customers are using that API using some kind of client, but themselves do not use Let's Encrypt certificates (e.g. as client certificates for authentication or something similar).
If the above is correct, I'm puzzled why a certificate renewal would cause any issue with your customers to begin with? The validation path ends with the root certificate which is of course required to be in the root certificate store of the API client. But the leaf certificate of the API should not be pinned at all? Your customers should not have any troubles when you renew the leaf certificate of your API server.
So I'm puzzled..
Of course it could be the case that your "small number of our customers APIs" that were having troubles were relying on the long chain with the DST Root CA X3 root certificate which expired two and a half years ago already.. In that case the only thing they should do is trust ISRG Root X1 (and probably also ISRG Root X2 for completeness). That would also indicate those customers are using clients which are ANCIENT.. And are probably cause for concern.
Your customers should not need to install the leaf certificate. They should automatically trust any leaf certificate you get/renew by virtue of having trusted the ISRG Root X1 certificate.