According to Certificate Compatibility - Let's Encrypt Debian >= Bullseye trusts ISRG Root X2. At the same time it links to Debian Package Tracker as proof. ca-certificates version 20230311 never got backported to debian bullseye and it's only shipped with Debian Bookworm according to ca-certificates - Debian Package Tracker.
It would be nice if we could get https://letsencrypt.org/docs/certificate-compatibility updated.
Thanks for all the good work!
Thanks! Two part response:
Debian Bullseye lists the current version as 20210119
It is not available in bullseye-backports/misc (See Debian -- Software Packages in "bullseye-backports", Subsection misc ) and there is no misc section in /bullseye-updates (see Debian -- List of sections in "bullseye-updates")
According to the debian changelog (https://metadata.ftp-master.debian.org/changelogs//main/c/ca-certificates/ca-certificates_20230311_changelog), X2 was introduced in 20230311
That's right. I also tested on an updated bullseye instance. I'll submit that PR as soon as possible.
Thanks!
I concur. There's no -updated or -backported ca certificates package available for Debian Bullseye. The list of CAs included with bullseye is here (no ISRG Root X2): Debian -- File list of package ca-certificates/bullseye/all
Bookworm on the other hand has ISRG Root X2: Debian -- File list of package ca-certificates/bookworm/all
It might be worth making a request to Debian to backport this release to Bullseye (which is still in Security and LTS update windows).
"Accepted ca-certificates 20230311 (source) into unstable"
That's what you get for those silly naming schemes? Now, in retrospect, it's quite hard to check which version of Debian it was included... You'd need to see which version was unstable from when to when and matches sat, 11 Mar 2023. Or to be more specific, into which version Sid was transfered to, as all unstables are called Sid... Another weird quirck.. 
I'm not even sure this info is easily found..
Debian sigh...
Unstable is always unnstable. It never is not Sid
There are no versions of Debian Unstable. It is a perpetual and ever-changing target.
Edit: Written before I read the end of the preceeding reply. Leaving for posterity.
It's really not that hard, table on the left side:
https://tracker.debian.org/pkg/ca-certificates
(if you want to go even further back than oldoldstable, the full archive is linked on the same page: dak ls aka madison)
I was curious enough to check, and indeed:
bullseye0$ curl -L https://valid-isrgrootx2.letsencrypt.org/
curl: (60) SSL certificate problem: unable to get local issuer certificate
So, if anyone is still on bullseye ("oldstable" for now): grab the ISRG Root X2 certificate and install it:
wget https://letsencrypt.org/certs/isrg-root-x2.pem
openssl x509 -in isrg-root-x2.pem -noout -sha256 -fingerprint -serial -dates
### Compare with e.g. the crt.sh website listed on the certificate page
sudo mkdir -p /usr/local/share/ca-certificates/
sudo mv isrg-root-x2.pem /usr/local/share/ca-certificates/
sudo update-ca-certificates
With that, the ISRG Root X2 certificate should now be trusted.
But today's stable is tomorrow's oldstable 