I wonder how transitioning from DST Root CA X3 to ISRG Root X1 should work smoothly with the current setup of Intermediate CAs.
AFAIK, a typical setup for a transition from Signing CA to Root CA is as follows.
Old Root CA → New Root CA (signed by Old Root CA) → Signing CA → Server Cert
Servers present the three certificates (Server Cert, Signing CA, New Root CA signed by Old Root CA) to clients which are happy either way: If they still trust Old Root CA, the chain passes. Alike, if they have the New Root CA self-signed certificate in their trust store, they just disregard the last certificate and find the new proper matching chain anyway. After some time, servers will stop serving New Root CA (signed by Old Root CA). Mission accomplished.
In the case of the current LE setup… I don’t see such a clean transition ahead. The main issue is the missing “New Root CA (signed by Old Root CA)“ intermediate certificate. Let’s look at an example.
My FF already contains the ISRG Root X1 certificate, and trust is enabled. If I disable trust on DST Root CA X3 temporarily, my LE-enabled site cannot be displayed anymore because I don’t present a certificate for Let’s Encrypt Authority X3 signed by ISRG Root X1. My server sends the certificate for “Let’s Encrypt Authority X3 (IdenTrust cross-signed)”. If I now add the missing certificate “Let’s Encrypt Authority X3, Signed by ISRG Root X1” to the served chain of certs, FF displays the page. Horray!
However, SSL Labs is unhappy and gives a „Chain issues: Incorrect order“ output. Sure, the server sends two different certificates that form a fork instead of a single chain. I can only fix the chain in this regard by removing the old intermediate certificate, but then I have a direct change from the old DST Root CA to the new ISRG Root CA. This is a hard move which I’d not call a smooth transition. Or do we simply have to live with the SSL Labs warning? (Note that SSL Labs also reports an OCSP error for the new certificate, but that’s not the topic here.)
What’s the technical transitioning plan for LE from the old to the new root? Will the current Signing CA certificate be replaced by a Root CA signature, signed again by DST, together with the new non-cross-signed Let’s Encrypt Authority X3?
And, of course, corrections to my understanding welcome