Let's Encrypt DST Root CA X3 certificate set to expire

If you've been using Let's Encrypt for a while, you may have noticed that their certificates are signed by a root certificate titled DST Root CA X3.

That root certificate is set to expire in a few hours. Any certificates still signed by that root will no longer be valid. But luckily, that shouldn't form a problem for most Let's Encrypt users.

For a while now, new SSL issuances by Let's Encrypt have issued certificates against DST Root CA X3 (the one that is about to expire) and ISRG Root X1. The former will expire, the latter remains valid for years to come.

If Oh Dear detects you're sending along the older, about to expire, intermediate certificate in your certificate chain, we'll notify you to take action:

The fix would be to re-issue certificates or manually change the certificate chain in your configuration that you're sending along via your webserver.

While this will only affect much older devices (ie: iPhone 4 or older), we feel it's important we notify our clients should this affect them.

For more details, we kindly refer to the official Let's Encrypt explanation of their expiring root certificate.