DST Root X3 deprecation: what will happen on RENEWALS from January 11, 2021?

Hi everyone! I was reading the post and I understood that, starting January 11, 2021, all the new certs will use ISRG Root X1, becoming incompatible with Android 7.1.1<.

What I don't understand is what should I expect with RENEWALS? Meaning: my site is using Let's Encrypt ALREADY, TODAY. Will I get a renewal with ISRG Root X1 after Jan, 11 or will it still use DST Root X3?

Also: I would like to contribute the stats of my site, an Italian tech community:

As you can tell, my stats (relative to ALL the Android access) are north of 16%

2 Likes

Renewals are just new certificates, but with the same hostnames included as a previously issued certificate. Technically, they're just new certificates.

The distinction between "new" certificates and "renewals" is mostly for the calculation of rate limits.

2 Likes

I was pretty sure of that, but I still preferred to get a confirmation. Now I have it, thanks!

2 Likes

Do note: as mentioned in the posts by the Let's Encrypt staff, ACME clients do have some methods of choosing the certificate chain. In theory, this might lead to an ACME client choosing not to use the ISRG root from January 11, but to keep using the old chain to the IdenTrust root.

2 Likes

Here's the source documentation if you require hard proof of what Osiris has correctly explained:

A certificate is considered a renewal (or a duplicate) of an earlier certificate if it contains the exact same set of hostnames, ignoring capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [www.example.com, example.com], you could request four more certificates for [www.example.com, example.com] during the week. If you changed the set of hostnames by adding [blog.example.com], you would be able to request additional certificates.

Renewal handling ignores the public key and extensions requested. A certificate issuance can be considered a renewal even if you are using a new key.


2 Likes