Let encrypt update for dst root ca x3

Is there other way to fix DST Root Expiration on the server side not in the Client Device?

The two server options are:

  • Chain to the expired DST Root CA X3, which supports older android devices but will have issues with older builds of OpenSSL
  • Chain to ISRG Root X1, which is not in the Trust Store of Operating Systems or Devices

There is a compatibility list on Certificate Compatibility - Let's Encrypt , however it does not cover the OpenSSL versions


If your client device is NOT an (older) Android device and your client device does NOT have the ISRG Root X1 root certificate in its trust store, there is NO server side option but to change to a different (free) CA. See e.g. ACME CA Comparison - Posh-ACME for an overview of ACME CAs.


Sorry, I'm newbie with this SSL thing. What do you mean chain to the expired DST Root CA X3?


1 Like

By default, Let's Encrypt has an "extra" cert in the intermediate chain (we call it the "long chain") which was signed by "DST Root CA X3". This provides better compatibility for a wide range of older Android devices. You can also use the "short chain" which does not have this extra cert in it.

This topic helps guide you to choosing which is best


You can search for "what are certificate chains" on e.g. Google and you would, among others, find this site, explaining what certificate chains are: What is the SSL Certificate Chain? - DNSimple Help


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.