My domain is: live.redtaxi[.]cab
When I was trying to solve Nodejs issue with new Letsencrypt root certificate expiring
"ISRG Root X1"
And when I found the solution, we faced the block from you.
So please kindly unblock the domain because we can't wait for 7 days and we can't change the sub-domain we have because we have a mobile app connected to the server through it.
we are looking for your support.
Regards
Hi @saleh welcome to the LE community forum 
That is NOT possible,
There is a test/staging environment explicitly setup for exactly what you were doing.
At this point you can either:
[arranged in what I feel is the simplest to most complicated solution]
The real question is where did all those certs go?
Where is the last one that was issued?
[as finding any one of those would be the simplest solution of all]
Hi, @rg305 thank you for your support,
Dear I have the last one and it's valid but I need to solve the issue ```
sudo certbot certonly --nginx -d --preferred-chain "ISRG Root X1"
sudo service nginx restart
because our Nodejs app suddenly stop and when we catch the issue that of Letsencrypt update on the 30th of September
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021
So it is not fair to ban our domain in this case because we have a certificate problem
Other than that, you can also search on google and see how many people have been affected by this issue since September 30th
Kindly if possible to unblock our domain to resolve the issue
RegardsWhat version of certbot are you using?
certbot --version
hi @rg305
certbot 1.20.0
The site serves this chain now:
openssl s_client -connect live.redtaxi.cab:443 -servername live.redtaxi.cab | head
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = live.redtaxi.cab
verify return:1
CONNECTED(00000005)
---
Certificate chain
0 s:CN = live.redtaxi.cab
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
All you need to do (for now) is to remove the last cert form the chain.pem or fullchain.pem file in use.
thank you @rg305
just remove it without replacing it with another one?
The chain will have three certs in it - remove the last one.
Leaving only two certs in it.
The cert is valid:
I repeat myself:
Remove the last cert from the chain.pem file or the fullchain.pem file (whichever you are using).
Then restart the web server.
Then we can check it again.
If you edit your fullchain.pem file you will see it is a text file with multiple certificate entries. You can paste the last one into Certificate Decoder - Decode certificates to view their contents and that should confirm it is ISRG Root X1 issued by DST Root CA X3. If you then remove that entry from the file your chain will be [Your Cert] > R3 (Issued by ISRG Root X1), then clients will resolve this to the shorter (modern) chain. You may need to restart nginx.
thank you very much for your support, I'm did it but the issue still showing and this is the result:
Your certificate looks good and is using the modern chain. This chain is not compatible with old versions of Android which don't know about the ISRG Root X1 certificate.
If you need a mix of support for old and new devices I would suggest changing certificate authority but you would need to test whichever alternative you choose (ZeroSSL, BuyPass Go etc) with the client devices.
dear, could you let me know if there is a paid cert that I can use to solve this issue,
I think it's better than a free one right because Letsencrypt make a big problem and I think we should change it forever
openssl s_client -connect live.redtaxi.cab:443 -servername live.redtaxi.cab | head
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = live.redtaxi.cab
verify return:1
CONNECTED(00000005)
---
Certificate chain
0 s:CN = live.redtaxi.cab
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
That is the "shorter" chain.
Nothing is forever.
All root certs have expiry dates - even the paid ones.
Let's Encrypt did NOT make this problem.
so it's correct right now?