Help thread for DST Root CA X3 expiration (September 2021)

Well, according to the Certificate Compatibility page, anything XP SP3 or newer should work, as long as it's been getting the root certificate updates.

Can you run code on the devices? If you can connect to in whatever program you're running on there, and then see that ISRG Root X1 is in the Windows Certificate Manager as a Root Certificate (assuming that's the trust store your application uses), I think you'd be alright, but it may be hard to test everything for sure.


I tried to check the CA chain for the domain using but I could see R3 had a DST Root CA X3 in the parent CA field (along with ISRG)

Therefore, this domain seems to have a cross signed certificate? or Am I reading it wrong?
If i'm not wrong, you anyone point to a domain which is using the alternate certificate chain?

Additional references to this page in the image -> |,

Thanks in advance!


There are two versions of the R3 intermediate. The cross-signed version and the ISRG Root X1 signed version.

Cross-Signed Version: | 3479778542

ISRG Root X1 Version: | 3334561879

This approach cannot work. is a CT aggregator. This service sees only what certificates were issued, but it does not know which chain was actually send by the service. You searched for who issued certificates for valid-isrgrootx1, and you saw that Let's Encrypts R3 intermediate issued certs for this domain - this is all correct.

However, cannot know which version of the R3 certificate (they're both using the same keypair!) was used, so has to guess here.

In order to retrieve the certificate chain, you need to connect to the service and see what is actually send by the server. This can be done using one of many different tools, e.g openssl:

# openssl s_client -connect

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN =
verify return:1
Certificate chain
 0 s:CN =
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1

As you can see here, the service sends the chain "leaf -> R3 -> ISRG Root X1", as it sends the R3 intermediate signed by ISRG Root X1.


Thank you for the quick response and clarification!


Hello community,
is there a way to stuck with DST Root CA X3?
We are using letsencrypt with certmanager, but even specifying
preferredChain: "DST Root CA X3"
we obtain certs with only ISRG Root X1 as issuer.
We are encountering compatibility problem with some old devices.


These are the two current chains:

  • Default chain: End-entity/leaf certificate (sig R3) ← R3 (sig ISRG Root X1) ← ISRG Root X1 (sig DST Root CA X3)

  • Alternate chain: End-entity/leaf certificate (sig R3) ← R3 (sig ISRG Root X1)

As you can see, neither R3 intermediate is signed by DST Root CA X3 and both chains include ISRG Root X1.

If you want the R3 intermediate signed by DST Root CA X3, you can download it here:

Pinning/installing that intermediate and using only your leaf certificate served by Let's Encrypt will work for now, but you should do whatever you can to try to move forward.

You can construct the old fullchain.pem by putting your new leaf certificate followed by the intermediate downloaded from the link above in a single file.


Since we're now slightly under 90 days until the self-signed certificate for DST Root CA X3 expires, I built a test site which behaves exactly the same way most web sites using Let's Encrypt will behave, but has conveniently not expired until just after DST Root CA X3 does.

This means if you can trick your software or hardware into believing it's now just after DST Root CA X3 expires, it will believe that root certificate has expired, but the certificate for has not. If your system considers that this situation is OK, it should continue to work after the end of September 2021. However, if the system under test reports a certificate expiry then that's a problem and you should begin planning for it now, while you still have about 90 days to develop and test a workaround.

On a Linux system for example, we can use the faketime tool to tell the program curl that it's October 1st:

faketime '2021-10-01 UTC' curl

NB This idea will stop working on October 1st, but by then you will have any problems for real, so such tests will no longer be very useful.



Following a hardware migration and renewing (using dehydrated) my certificates last weekend, I was facing a big problem.
Using the staging environment, all of my certificates were renewed correctly, but with the expired root certificate "durian root ca X3".
Switching to the prod environment, everything went fine again ... but now I'm concerned about the expiration of DST Root CA X3.

I'm looking for what to put in place to protect myself from a disappointment on September 31
I cannot switch to certbot because it is not compatible with my linux distribution (Debian 7 .. yeah ... I know ...)

Thank you


Welcome to the Let's Encrypt Community :slightly_smiling_face:

If having a functioning ACME client is your biggest concern, there are several solutions for that.

I've also authored my own ACME client (CertSage) that isn't listed there yet. It is a single file that only requires your webserver to have functioning PHP.


And if your issue is with the default chain presented by Let's Encrypt, dehydrated supports the --preferred-chain option so you can choose a different chain from the chains offered by the Let's Encrypt end-point.


The only difference between the default and alternate chains at present is that the default chain expects DST Root CA X3 to be in the trust store while the alternate chain expects ISRG Root X1 to be in the trust store. Since both chains at present include ISRG Root X1, if ISRG Root X1 is already present in the trust store, either chain could be verified, regardless of the presence of DST Root CA X3 in the trust store. So, the way I see it, being able to select the alternate chain does not offer any additional compatibility whatsoever. You either have ISRG Root X1 in your trust store or you don't.



Not to worry, my friend. September 31 will never arrive. October 1 will though, so, maybe not.


This is only true for the present, but not after DST Root CA X3 has expired. After that there will be clients that have trouble with the default chain, but will have no problems with the alternate chain.


I would think anyone with ISRG Root X1 in their trust store would have no problems with either chain. Am I missing something?

Maybe it depends upon the sophistication of the client building the chain of trust. Throw out the served ISRG Root X1 signed by an expired certificate (DST Root CA X3) and use the unexpired, self-signed ISRG Root X1 in the trust store.

Without that, I agree that the alternate chain would be needed.


There are quite a few TLS implementations out there (mostly non-browser things: Older OpenSSL, GnuTLS, LibreSSL...) that will always validate up to the highest certificate in the chain:

The behaviour mentioned above applies for example to OpenSSL < 1.1, < mid-2020 GnuTLS & LibreSSL and probably over two dozen embedded TLS implementations.


I wonder what would happen if these clients removed DST Root CA X3 from their trust stores? Failure to verify or find an alternative chain of trust or...?


Yes, quite a few clients can't do that. If you tell them: Here's ISRG Root X1 signed by DST Root CA X3 they can't understand that ISRG Root X1 is a root they know - they will always follow the chain up to DST Root CA X3, no matter what you put into their trust store. This is bad behaviour, but sadly reality.


We had this discussion for CentOS + OpenSSL here:

The results were: Sometimes. It seems to fix OpenSSL 1.0.2, but not OpenSSL 1.0.1.

(I believe this is somehow related to OpenSSL's PARTIAL_CHAIN feature)


That seems to cover all the bases. For being such a sticky problem, it really isn't all that complex, which unfortunately offers limited degrees of freedom to find alternative solutions. :confused:


It seems like the right solution but unfortunately it doesn't work.
Despite the addition of the parameter (--preferred-chain "ISRG Root X1"), the certificate that I renewed continues to have "DST Root CA X3" as root certificate

However, the intermediate certif, is R3 which expires on September 29