Keep "Let's Encrypt Authority X3" for renewed certificate

Hello all!

Need your help or an advice!

I have a problem with my public certificate after last renewing 07/01/2020. This certificate I exported in browser and uploaded as a trusted to some my devices. Devices could not connect to any external services and I also can not connect to devices remotely.
Now, Intermediate certificate has been changed from X3 to R3 and my trusted certificate is not valid any more.

Is is possible to require renewing with X3 sertificate until Mart? Is there another solution to trust a certificate on physical devices?

Thank you in advice,

1 Like

First: You should not be requiring connection trust based on intermediate certs.
That can change at any moment.

That is no longer possible.


Very short answer: no, that's not possible.

However, if you renewed after 60 days like Let's Encrypt advices, you should have 29 days left for your previous certificate. You might be able to re-instate that certificate on your server and fix whatever design flaw you've made in the past (i.e. depend on a static intermediate, which should never be done).


Why is it no longer possible? I understand that there will be brownouts each month, but renewal should still be possible atleast till the end of May correct?

1 Like

you are thinking of DST root X3, intermediate CA X3 is only a 2 mounth left and cannot sign by current boulder without extend leaf's life behind CA's


X3 is beyond browning out - it is off.
The current pending brownouts are for ACMEv1 deprecation.
See: End of Life Plan for ACMEv1 - API Announcements - Let's Encrypt Community Support


Thanks for the link. I fail to see where exactly it says that the intermediate X3 is Off and cannot be renewed. Can someone post a screenshot of it.

1 Like

Hi @sarathyplkr5

an intermediate certificate isn't something to renew.

That's how the certificate system works.

Root and intermediate certificates are replaced with new private / public keys, not renewed.

Clients should never use hardcoded intermediate certificates. A client with such a behaviour is a wrong configured client.


Beginning Issuance from R3 - API Announcements - Let's Encrypt Community Support


There is much more detail about this in the thread

1 Like

Thank you for help and links!
As I understand right, If my devices could not connect to any external IP (included any CA), I need to keep all chain of trusted certificates in devices.
R3 will be expired 29/09/2021, so, I think, next time i will need to change intermediate certificate maximum in July, 2021. Am I right?

1 Like

Intermediates can change at any given moment without notice.
You should include your own CA root as a safety net.


Thank you very much!


(As a side note, this expiration date is incorrect -- The R3 cross-sign from IdenTrust expires in late 2021, but the R3 issued from our own ISRG Root X1 doesn't expire until 2025. That said, the advice above is still correct! Don't pin or rely on intermediates, as we may have to (for example) switch to using R4 at a moment's notice.)


just to clarify: Until the old Root+ Intermediate will expire there is no chance to renew certificates signed by "Lets Encrypt Authority X3" and "DST Root CA X3"?
Just wondered, because I thought the new options in all those acme clients "preferred chain" or similar are just for this purpose.

Has been retired, and it will soon expire.

It will not be signing anything ever again.

Sure, I know it will expire on 17th of march this year.
It could have been possible to issue certificates until this date :smiley:

Not exactly.
It should never authorize a cert beyond its' own life.
So it had to stop issuing 90 day certs... 91 days before it expires.
[2021/03/17 - 91 days was on 2020/12/16]
As also seen on the first line of this post: Beginning Issuance from R3 - API Announcements - Let's Encrypt Community Support

Thanks, is was just not clear to me.
Because the acme_certificate module in ansible suggests that it is still possible: - the last example selects the chain of the old DST Root.

Sure "possible".
It could now issue a cert with 100 years life on it.
But no browser, nor anyone, would ever honor that cert either (past his own life time).

After re-reading it, I only see: "DST Root CA X3"
Not any mention of "Let's Encrypt Authority X3"