I ran this command: sudo certbot --nginx --preferred-chain "ISRG Root X1"
It produced this output: Your existing certificate has been successfully renewed, and the new certificate has been installed.
My web server is (include version): nginx version: nginx/1.19.6
The operating system my web server runs on is (include version): Debian 9
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0
Hello,
For several months, I have had users complaining that they can no longer access certain sub-domains of my site because of an expired SSL certificate. After checking, they are all under Windows NT or old versions of Mac OS or Android.
So I tried to follow the recommendations of this forum, I upgraded certbot to the latest version and regenerated the ssl certificates with this command "sudo certbot --nginx --preferred-chain "ISRG Root X1""
On my side everything works, however I don't know how I can check if the option has been taken into account. Is there a way to check it? In /etc/letsencrypt/live/ I have the files/shortcuts that have been updated (according to the date of the last modification). But I would like to be sure that the access to the subdomains is restored for the old devices.
I don't have an old computer or mobile to do the test and unfortunately I didn't get any response from my users who encountered this problem.
Well, you may have traded joy for one group of people for sadness of others.
Using the "short chain" will prevent older Android devices from connecting safely. See more about that here
But, to answer your question, you can see the chain your server sends with a site like below. If it ends in ISRG Root X1 (2 certs) it is the short chain, if in DST Root CA X3 (3 certs) it is the long chain.
Oh ok I see, thank you. After checking, I've switched to "ISRG Root X1". According to what you say, the old devices under Android will not be able to access it anymore but Windows NT and old mac OS devices will be able to access it again?
Is there any way to make it compatible for everyone?
If you need to support a wide variety of older devices that don't get updates, you could try using a different Certificate Authority. Maybe one of the other free ones like ZeroSSL
The default Let's Encrypt cert is the 'long chain' for a good reason and those people who can't use your site are also unable to use many other sites without warning message (such as this forum). If there are only a couple they might be happy to be guided on how to update their systems. The ISRG Root X1 root cert that they are missing has been out for over 5 years.
It's unlikely, I think, that ancient OSes have the ISRG Root X1 root certificate in their root certificate store. So for those very old OSes of which the root certificate store hasn't been updated since the ISRG Root X1 was accepted in major root certificate programs (approx. 5 years ago), it really doesn't matter which chain you're using. You can find out more about that here: Certificate Compatibility - Let's Encrypt
In the end, you might conclude Let's Encrypt is not the best free CA for your target audience. That said, other root certificates of other CAs also have this limitation one way or another. Maybe not now, but some day in the future, as root certificates will eventually expire. But maybe there is a different free CA better for your target.
Thank you. Until I find a real solution, I created different domains for the old and new certificates. I know it's not optimized but it's better than leaving it alone.
I will look for a real solution in the next weeks.