Help thread for DST Root CA X3 expiration (September 2021)

Point taken.
YMMV; As their expiry dates are not seen equally by all clients.
The ones that can "short-circuit" the validation, will use the longer date explicitly seen in their trust store.
The ones that can't must rely on the validity of the signer (outside of the root itself).


Yes, correct. I just was trying to clarify this question:


Hi Let's Encrypt ,

I have followed the news about the expiration of X3 and I thought that I didn't have to do any changes for my website. But know I can see that my traffic has fallen by 20% and several browsers are not able to access the site without the big warning of an invalid certificate.

When I look at the chain it is as follows

DST Root CA X3

and is says

This certificate is not valid (expired root)

Any help would be most appreciated.



Hi @mmncs and welcome to the LE community forum :slight_smile:

I would try switching to the alternate/shorter trust path chain.
How that is done on your server depends on may things...
How much access do you have to it?
Are you an admin or only make changes through a menu/panel?


Hi rg305,

I have full access and right now I am trying to upgrade my certbot to 1.12 where I have the command:

--preferred-chain "ISRG Root X1"

I have tried to add it to the letsencrypt conf file like this:

authenticator = webroot
rsa_key_size = 4096
server =
preferred_chain = ISRG Root X1


If you have certbot lower than 1.12, that entry won't do anything.
You can manually edit the fullchain.pem (or chain.pem) file used and remove the last cert from it.
[for a "quick fix" / temporary workaround - that won't survive renewal; as all cert files will be replaced then]


I have access to the fullchain.pem but I really don't know how I should edit it...

and thank you for your time!


Sorry didn't read, so I just delete the last key I guess...


I'd use: vi, but you can use any text editor.
Like: nano

Look for "-----BEGIN *-----" and "-----END *-----" lines.
They surround the certs.
Simply delete the last cert (and the lines surrounding it).
Save the file.
Restart the web service.

Yes, it has one two many certs.


Invalid certificate

Now it says that this certificate was signed by an untrusted issuer, but the chain has changed to:

ISRG Root X1
-- R3


If you check the site with SSL Labs, and it shows OK there, then this new problem is within your client.
Which implies it doesn't have the latest ca-certificates (or Windows Update or Mac update or etc.)


I have tried acces on Opera and Chrome and I can see that it has removed

DST Root CA X3

But it still doesn't work on either. This is on my older mac.

Here is the overall rating:

Overall rating: B

TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No

1 Like

If it is below 10.12. you might have issues.


It is 10.9.5

Is there any way to get it working then?

1 Like

Try this "fix":


Is that something I have to install on the mac?

Since I have had others who have contacted me who gets the same error and I can see that my traffic have decreased about 20% which very well could be because of this warning and I have no way to ask people who visit the site to install anything.

I have followed this issue and saw the video where they said there would be no issues with browsers and it seems that more people than you would think are using very old laptops.


If this is affecting systems outside your control...
Then I can only think of one immediate solution:

  • You need to switch to another entirely different chain.
    Like from another (free) CA that is ACME protocol friendly.

So Lets encrypt doesnt work on older laptops?

1 Like

It's not Let's Encrypt that fails to work.
It's the lack of updated trust stores (and relevant TLS libraries).

Older... yes
Really old... probably not.
[eventually such older systems will have problems with all CAs - LE was just the first to expire]

I can no longer here your radio station - on my A.M. radio.


So this is not a decision from letsencrypt?

The big problem is that people who visit the site will think it is a virus filled site...

Stealing their credit card information as it states in chrome. If it just said they have to update their system then it would be another story