I understand that on January 11th Let's Encrypt will change the default Intermediate to E1 which is no longer signed by Identrust. This will be a big deal for many people, but I understand that the R3 Intermediate will still be an option (via --preferred-chain
on certbot) for those of us requiring this backwards compatibility a bit longer.
I'm looking for clarification on the transition (happening within a week or so?) switching from X3 to R3. The latter is still signed by both Identrust and ISRG so in theory it has the same backwards compatibility. What I do not understand is which of those two trust chains will be used by default and end up in our fullchain.pem
. For most modern browsers it doesn't matter too much, as the browser will be able to follow either chain by requesting additional intermediates as required. However for embedded devices that don't support AIA (Authority Information Access) this is not necessarily the case. Only the chain that our servers supply in fullchain.pem
is viable.
It's not clear to me whether this will be determined by Let's Encrypt or by the issuance client (certbot, etc.). If it makes a difference, I am using simp_le via docker-letsencrypt-nginx-proxy-companion.