Firstly I should say that we've been using LetsEncrypt for over 3 years now without any issues, and grateful for the great service that was provided up to this point.
With the advent of the the expiration of DST Root CA X3 and the switchover to ISRG Root X1 and the new R3 intermediary this caused us a world of pain. Our use case requires for the root CA to exist in the OS CA store (required for IPSec+IKEv2 based VPNs). We've been noticing that that ISRG root simply does not exist in seemingly random versions of Windows 10, including the most recent fully updated builds. We've been able to temporarily solve the issue by presenting the crosssigned intermediary and the DST root to the clients, but come Sept 2021, this will no longer be feasible, and our service will break down for an unknown portion of the Windows user base (our biggest user base). The key here is the "unknown" part, as we've noticed no pattern in the ISRG root being present or missing from the OS certificate store. The browser root stores are all okay, but this doesn't really matter for the above presented use case.
Is there any recourse here, or perhaps some misunderstanding on our part? Is LE aware of this problem? At this point we're experimenting with ZeroSSL, which appears to suit all our needs, due to them using a well established Sectigo root CA. We'd prefer to stick with LE if at all possible, but so far this appears to be impossible come Sept 2021.
EDIT: Summary of the issue after discussion below and more fiddling around.
- Some W10 versions don't ship with ISRG root baked in
- If a browser (IE, Edge or Chrome) encounters an ISRG root signed certificate, it DOES lazy load the ISRG root and it DOES appear in the root store.
That being said, non-browser OS subsystems (like rasdial, maybe others) do NOT trigger this flow and the chain cannot be verified until the ISRG root is lazy loaded through a browser.