Shortening the Let's Encrypt Chain of Trust

Hello All,

It looks like renewing a certificate provides the shorter chain since Feb 8, 2024.

  • On Thursday, Feb 8th, 2024, we stopped providing the cross-sign by default in requests made to our /acme/certificate API endpoint. For most Subscribers, this means that your ACME client will configure a chain which terminates at ISRG Root X1, and your webserver will begin providing this shorter chain in all TLS handshakes. The longer chain, terminating at the soon-to-expire cross-sign, will still be available as an alternate chain which you can configure your client to request.

In line with this, is it still possible to request the longer chain and how to do it? I may have misundertood this statement -> "The longer chain, terminating at the soon-to-expire cross-sign, will still be available as an alternate chain which you can configure your client to request."

Thank you.

Best regards,

well I shoudl ask what client you are using, but after few months that option goes away too, so you'd better prepared to adapt to short chain or move to other certificate authority


Yes, for now.

Please see your ACME clients documentation.


We are using certbot. Can you point me to the correct path on how to do it? I am using this command to renew the cert.

certbot certonly --manual -d --server

--preferred-chain "DST Root CA X3"

Docs for command line flags for certbot are in User Guide — Certbot 2.10.0.dev0 documentation which has the details


Thanks for the reply. Tried your suggestion, but getting an error. I do apologize as I am not an expert on this area. I hope you can help me further.

root@hostname:~# certbot certonly --manual -d --server --preferred-chain "DST Root CA X3"
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certbot: error: unrecognized arguments: --preferred-chain DST Root CA X3

What version of certbot are you running?



Currently certbot 0.27.0

root@hostname:~# certbot --version
certbot 0.27.0
root@hostname:~# sudo apt install --only-upgrade certbot
Reading package lists... Done
Building dependency tree
Reading state information... Done
certbot is already the newest version (0.27.0-1~ubuntu18.04.2).
The following packages were automatically installed and are no longer required:
linux-azure-4.15-cloud-tools-4.15.0-1112 linux-azure-4.15-cloud-tools-4.15.0-1113 linux-azure-4.15-headers-4.15.0-1112 linux-azure-4.15-tools-4.15.0-1112 linux-azure-4.15-tools-4.15.0-1113 linux-azure-5.4-cloud-tools-5.4.0-1080
linux-azure-5.4-cloud-tools-5.4.0-1083 linux-azure-5.4-cloud-tools-5.4.0-1085 linux-azure-5.4-cloud-tools-5.4.0-1086 linux-azure-5.4-cloud-tools-5.4.0-1089 linux-azure-5.4-cloud-tools-5.4.0-1090
linux-azure-5.4-cloud-tools-5.4.0-1091 linux-azure-5.4-headers-5.4.0-1080 linux-azure-5.4-headers-5.4.0-1083 linux-azure-5.4-headers-5.4.0-1085 linux-azure-5.4-headers-5.4.0-1086 linux-azure-5.4-headers-5.4.0-1089
linux-azure-5.4-headers-5.4.0-1090 linux-azure-5.4-headers-5.4.0-1091 linux-azure-5.4-tools-5.4.0-1080 linux-azure-5.4-tools-5.4.0-1083 linux-azure-5.4-tools-5.4.0-1085 linux-azure-5.4-tools-5.4.0-1086
linux-azure-5.4-tools-5.4.0-1089 linux-azure-5.4-tools-5.4.0-1090 linux-azure-5.4-tools-5.4.0-1091 linux-azure-headers-4.15.0-1023 linux-azure-tools-4.15.0-1023 python3-ndg-httpsclient
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 179 not upgraded.

you need at least 1.23 for that flag:


Thank you very much.

I was able to upgrade certbot and renew the certificate using parameter --preferred-chain DST Root CA X3.


Awesome, glad that worked for you!

Just remember, the DST Root CA X3 chain will go away entirely -- i.e. it won't be selectable using the --preferred-chain flag -- on June 6th. So you'll want to ensure that you don't need that root anymore by that time.


7 posts were split to a new topic: Pageload Times Increased after DST Root X1 / Shortening Change

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.