How do we stick to IdenTrust cross-signed after September


So according to the news

Let’s Encrypt plans to move to the ISRG signed intermediate certificate from September 29 onwards. There was a line that states those wishing to support old SSL clients may can manually configure servers to use the cross signed intermediate cert. What does this mean?

We either keep the cross signed one or obtain it from their website and, create and install full chain ourselves?

Many ACME clients have been, or are being updated to support automatic chain selection according to user preference.

What client are you using?

thanks for being understanding!

I’m using certbot

Certbot gained the ability to automatically use the legacy root in its 1.6.0 release:

--preferred-chain "DST Root CA X3"

Unfortunately, many common Linux distros won’t have that version of Certbot packaged yet. However, the new snap packages can be installed on a wide variety of systems, and will always be the newest version.

1 Like

thanks buddy!

It’s actually available on mine, I realized I did not retrieve the full help

./letsencrypt-auto --help all

  --preferred-chain PREFERRED_CHAIN
                        If the CA offers multiple certificate chains, prefer
                        the chain with an issuer matching this Subject Common
                        Name. If no match, the default offered chain will be

Appreciate it once again and hope this also helps others

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.