To try to answer what I suspect the original poster is asking, right now in order to accept an end-entity certificate issued by Let’s Encrypt, your browser or other client would have to be aware of three certificates. Looking at the case for this very site, there would be
The end-entity (leaf) certificate for the subject DNS name “community.letsencrypt.org”, issued by “Let’s Encrypt Authority X3” - this expires Mon 23 Jan 2017 05:20:00
The intermediate certificate for the subject “Let’s Encrypt Authority X3”, issued by “DST Root CA X3” - this expires Wed 17 Mar 2021 16:40:46 although it’s quite likely to cease being used much sooner than that
The root certificate for the subject “DST Root CA X3”, issued by “DST Root CA X3” (the issuer and subject are the same because root certificates are self-signed) - this expires Thu 30 Sep 2021 02:01:15
In terms of what will happen when each certificate expires or stops being used in anticipation of its expiry:
For the end-entity certificate, the TLS server will need to obtain a new (renewed) end-entity certificate and start serving that. Software like Certbot can make this change automatically.
For the intermediate certificate, the Let’s Encrypt CA will need to obtain a new intermediate certificate and start using it to issue end-entity certificates. The individual sites’ servers will also need to start serving this new intermediate as part of their certificate chains. Software like Certbot can also make this change automatically because the certificate chain is provided to the entity obtaining the cert as part of the ACME protocol. Certbot would receive the new associated intermediate from ACME upon some future renewal and would update chain.pem
and fullchain.pem
to include it.
For the root certificate, this is built into the browser and/or OS and would need to be supplemented by a new version of that root in a future browser or OS software release, in accordance with the software developer’s root program policies and software update practices. If a particular client isn’t updated by the end of September 2021, it will stop being able to accept and validate Let’s Encrypt certificates or any other certificates issued under IdenTrust’s DST Root.
Normally the first two changes are handled by the TLS server (again, software like Certbot can do this automatically upon renewal), while the third change is handled by browser or OS vendors and needs to be handled by users somehow updating their software or replacing old devices with newer ones that include newer software and updated root CAs.