We are using acme.sh and certbot for certificate issuance. Our devices are configured with R13 and already contain the corresponding certificate. However, the issued certificate chain is showing YR1.
Could you please advise how we can obtain an R13 (ISRG Root X1) SSL certificate chain for device connections to maintain compatibility with our deployed devices?
Our IOT devices have pinned this intermediate, which is due for expiry in few days. Yes we understand that, this is not recommended. We just want one certificate to be renewed so we get time to update our devices with recommended root cert.
yes, we have tried tlsclient profile with old account but getting below error,
[Wed Jun 3 04:50:20 PM WIB 2026] Error creating new order. Le_OrderFinalize not found. { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "Error creating new order :: account ID 3391776846 is not permitted to use certificate profile "tlsclient"", "status": 403 }
[Wed Jun 3 04:50:20 PM WIB 2026] Please add '--debug' or '--log' to see more information.
[Wed Jun 3 04:50:20 PM WIB 2026] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub
Yeah, last time we didn't used profile while generating the certs. Is there any other way to generate certs with R13 for one time to update our IOT devices.
I see that R13 valid until March 2027, please guide us to generate the certs with R13.
Only a member of staff could possibly do that. You'll have to wait to see if any respond.
There have been similar requests to yours for this intermediate rotation and past ones. I have never seen staff make an exception for individual cases. Let's Encrypt works with a small team and heavy automation which is how they can offer all they do for free.
Pinning R13 was never a good option as both R12 and R13 were used interchangeably. Further, best practice has been to have a fallback CA in case one failed. And, even instead of a public CA using a private CA for something like IOT is probably best.
Knowing all that I think it highly unlikely you will see staff diverting their efforts to help you with this.
Further, there looks to be some kind of ongoing incident with LE issuance. I am sure that will be priority 1 and will keep staff especially busy.
I understand that exceptions are generally not made and that the recommended approach is to update devices to support the new certificate chain. However, I would like to explain the scale of our situation and respectfully request your consideration.
We have a very large number of IoT devices deployed across the country. These devices currently rely on the R13 certificate, and the certificates installed on them are scheduled to expire on 5 June 2026. Once the certificates expire, the devices will lose connectivity to our backend services.
Unfortunately, updating these devices is not a simple process. Many of them are deployed in remote locations, and a significant number would require manual intervention or on-site firmware updates. Coordinating and executing these updates across thousands of devices nationwide will take considerable time and resources.
We fully acknowledge that our long-term solution is to update the firmware and certificate trust configuration according to Let's Encrypt's recommended practices. In fact, we have already started planning this migration. However, the remaining time before the certificate expiration is not sufficient for us to complete the rollout across all deployed devices.
Given the potential impact on a large installed base, we would be extremely grateful if there is any possibility of temporarily providing certificate issuance using R13, or any alternative transitional solution that could give us additional time to complete the firmware updates in a controlled manner.
We understand this may not align with standard policy, but we wanted to present our situation and ask whether any accommodation or guidance could be provided.
Thank you for your time and consideration. We appreciate the efforts of the Let's Encrypt team and would be grateful for any assistance or recommendations you can offer.
I am not sure you do understand the best way forward for you. You should post a new thread asking for assistance on that. Your best path is probably to use a private CA. That would give you complete control of the certs. But, for a public CA you should be trusting roots and NOT PINNING intermediates. Even roots will change over time. These are the first things Let's Encrypt warns about in the Integration Guide: Integration Guide - Let's Encrypt
With that said, staff monitor this forum and they would need to divert efforts for your case.
The R13 intermediate you pinned to only started use last August. I applaud your ability to obtain a large installed base in such a short period of time. People using such new products are often understanding of the "growing pains". Yes, it can be painful but in the long run can build trust with your customers. I speak from personal experience of running a tech company.