Right now there are two options for certificate chains for Let’s Encrypt certificates:
- An intermediate signed by “DST Root CA X3”, owned by IdenTrust.
- An intermediate signed by “ISRG Root X1”, the root owned by Let’s Encrypt itself.
I believe due to compatibility reasons the vast majority of LE users will use the chain for the IdenTrust certificate, particularly if it’s about public web pages. However the “DST ROOT CA X3” certificate will expire in 2021. While this is still a couple of years in the future, I wonder if this is looming trouble for LE.
I noticed this because I heard stories from customers of another CA that recently started issuing certs to customers with a root that was only issued relatively recently. Many old browsers throw errors when seeing these certs.
I think it’s plausible to assume that in 2021 the ISRG certificate will not have received widespread enough support to make it the only option available, particularly given how unfortunately common smartphones without any update option are these days.
Is LE aware of this issue and are there any plans?