Certificate chain no longer includes ISRG Root X1?

I have been using letsencrypt certificates for an API server for a while and all has been working fine so far. However since the last certificate update (Nov 13), old Android clients can no longer access the site. After some debugging I just found that the certificate chain no longer includes ISRG Root X1.

According to Shortening the Let's Encrypt Chain of Trust - Let's Encrypt, this should not happen before Feb 2024. Have plans changed?


1 Like

Hi @guillerodriguez, and welcome to the LE community forum :slight_smile:

What ACME client [and version] are you using?
What was the command last used to renew a cert with such a problem?
What is a domain name that now shows this problem?


Hi @rg305

I am using acme.sh, version 3.0.0.
The command used to renew was acme.sh --renew -d <domain_name>

I have a couple of domains with the same setup, I just took one of them which had been renewed on Oct 29 and was still working properly (certificate chain included the ISRG Root X1 intermediate certificate). I just tried to force renew (acme.sh --renew -d <domain_name> --force) and indeed the new certificates no longer include the ISRG Root X1 intermediate (breaking old Android clients).

This has been working for a long time until now so I must assume something has changed in LE's side. But this wasn't supposed to happen until Feb 2024, correct?


Please update to their latest version:


Why? any info on why would that fix the issue?

It seems strange that all has been working fine with 3.0.0 so far and since a few days ago, after what seems to be a change in LE, I suddenly need to update something on the client-side.

I'm not sure if that would fix the problem.
[but it would, at least, patch a known security issue]
That, and I can only test using v3.0.5 & v3.0.7 and both of those return 3 certs in the fullchain.cer file.


To be clear it included:


there was some mistake at that day enabled new default chain too early.


Hi @orangepizza,

This would certainly explain what happened with the system were certs were renewed in Nov 13 and where I started seeing the problem.

The strange thing however is that I had another system which had renewed certs in Oct 29 and which was working properly. I force renewed certs on this one and I got the short chain too :-?

Moreover upgrading to acme.sh 3.0.7 seems to have fixed the problem on both systems (after force renewing certs of course).




I upgraded to 3.0.7, renewed certs, now all is good.

I don't quite understand why this works, though. The temporary misconfiguration mentioned here (Shortening the Let's Encrypt Chain of Trust - #2 by aarongable) would explain the problem I was originally seen, but I don't understand why after force renewing certs on another host today also got the short chain.

Anyway upgrading to 3.0.7 and force renewing seems to have fixed the problem. Thanks!



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.