Shortening the Let's Encrypt Chain of Trust

We have just published a blog post detailing our plans to handle the expiration of our ISRG Root X1 cross-sign from IdenTrust’s DST Root CA X3.

The summary is:

  • On 2024-02-08, we will stop providing the long chain by default, but clients can still be configured to request it.
  • On 2024-06-06, we will stop providing the long chain at all.
  • On 2024-09-30, the cross-sign will expire, and any websites still serving it in their TLS handshakes may run into difficulties.

No action on your part is needed. You have the option of doing some manual configuration of your ACME client to gain six extra months of compatibility for older Android devices visiting your sites. If you have any questions, please direct them to this thread.


Some of you may have noticed that, from Thursday, Nov 9, 17:30 UTC to Monday, Nov 13, 20:45 UTC, we were providing the short chain by default for certificates issued from R3. This was an accidental misconfiguration, and has been reverted.

However, the change observed over the past few days is identical to the change that we will be making on February 8, as announced above. If this change caused issues for your client, please prepare now for the upcoming changes. The blog post linked above has details on how.