acme-v02.api.letsencrypt.org endpoint sends the pre-May-4-default leaf ← R3 ← DST Root CA X3 chain when an ACME Client connects to it. (Trying to be clear here: I'm not talking about the chain returned to an ACME Client for use in configuring a web server, I'm talking about the API itself, used by the ACME Client to talk to Let's Encrypt, like what happens when you run
openssl s_client -connect acme-v02.api.letsencrypt.org:443 or
curl https://acme-v02.api.letsencrypt.org/directory or the like.)
- Will that change to the "long" chain at some point, of leaf ← R3 ← ISRG Root X1 ← DST Root CA X3? This is probably a non-event for most ACME Clients, but may be good to be aware of when it happens just in case some client somewhere doesn't like it.
- As @Nummer378 reminded me of in the other thread when I asked about it (I thought I'd seen it somewhere but couldn't remember where), if I understand the current plan correctly, at some point the API endpoint will switch to the "alternate" rooted-in-ISRG Root X1 chain. Do we have a rough timeline of when that might be? I'm guessing it should be at some point in the next few months?