Certbot users: Preparing for the ISRG Root transition (January 11 2021)

On January 11 2021, Let's Encrypt will change its default certificate chain from using the legacy Identrust root certificate, to its own modern ISRG root certificate. Read more about that change on the Let's Encrypt blog.

For Certbot users, this will happen automatically at certificate renewal. You do not need to do anything to begin using the ISRG certificate chain.

Until July 1 20211, Let's Encrypt will also continue to offer the Identrust certificate chain, for those who want to keep using it.

Which chain should I use?

The Identrust certificate chain, which will remain on offer until July 1 2021, is compatible with slightly more older devices than the ISRG certificate chain.

Known incompatibilities of the ISRG chain include:

  • Android < 7.1.1 (upto 33.8% of Android devices2 representing 1-5% of traffic3)
  • iOS < 9 (less than 6% of devices4)

If you wish to remain compatible with these older devices for an additional 6 months, you may choose to keep using the Identrust chain.

How do I keep using the Identrust certificate chain?

If you wish to keep using the Identrust certificate chain, that option is available to users of Certbot version 1.6.0 or newer:

sudo certbot --version

If you have an older version of Certbot, check whether a newer version is available using the official instructions.

Use the Identrust chain for all certificates

To continue using the Identrust for all of your certificates, you may configure that option in /etc/letsencrypt/cli.ini by adding this line:

preferred-chain = DST Root CA X3

If you are not comfortable editing files in the terminal, you may also run this command to ensure the line is added (Linux only):

sudo sed -ni -e '/^preferred-chain/!p' -e '$apreferred-chain = DST Root CA X3' /etc/letsencrypt/cli.ini

This change will take effect the next time your certificates renew.

Use the Identrust chain for one certificate only

To use the Identrust chain for a specific certificate only, you may pass the option on the command line when creating or renewing the certificate:

sudo certbot -d example.com --preferred-chain "DST Root CA X3"

What happens after July 1 2021?

After this date, Let's Encrypt will no longer offer the Identrust certificate chain. You do not need to do anything to prepare for this. Certbot will switch to the ISRG certificate chain at the next renewal.


[1]. Although the Identrust cross-sign will expire on September 29 2021, the Let's Encrypt ACME server will stop offering the Identrust certificate chain around 90 days before that date. This is to ensure that all installed certificate chains are valid for the full 90 day lifetime of a Let's Encrypt certificate.

[2]. According to Android Studio statistics as of September 17 2020. Compatibility on these older devices varies by browser.

[3]. According to Let's Encrypt's blog post, Standing on Our Own Two Feet.

[4]. According to Apple iOS Usage statistics as of September 17 2020.

9 Likes