Still getting DST Root CA X3 as the root?

We got a load of SSL warnings from our sites yesterday, and it looks like they all have well in date certs, but they are all using the Lets Encrypt DST Root CA X3 and the intermediate R3 that will expire in < 1 week.

I’ve even just create a new site and new cert via certify the web and
openssl.exe s_client -connect
is still showing:

Certificate chain
 0 s:CN =
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

This is all on Windows with IIS. Do I need to manually install the new ISRG Root X1 manually on the server somehow? I’ve been reading thread after thread here and elsewhere and I’ve not been able to work it out.

update: Even after upgrading to 5.5.4 and rebooting - the ISRG Root X1 is now there, but requesting a new cert still appears to use the old chain

Hi Nigel, please review the pinned post Upcoming expiry of DST Root CA X3 and R3 intermediate for Let's Encrypt

Is openssl still reporting the old chain or is it windows? If it’s windows, you can ignore that (it’s specific to the machine you are on and which R3 intermediate it chooses to follow).

If openssl says you still have the old chain that’s different.

Feel free to open a support ticket if you don’t want to share your domain here.

I should add, its normal to see a chain of either:

Leaf > R3 > ISRG Root X1 > DST Root CA X3


Leaf > R3 > ISRG Root X1

and it just depends which roots you have in your store.

The one you don’t want anymore is:

Leaf > R3 > DST Root CA X3

Apologies - I realize I never followed up on this.
OpenSSL kept reporting the old chain and the windows “show certificate” would return different chains depending on how you got to that dialog box.

We had to remove the R3 cert in a few places using CertMgr and then in the end - using Help thread for DST Root CA X3 expiration (September 2021) - #791 by webprofusion - Help - Let's Encrypt Community Support - removed it via the registry for the system user and rebooted. Then requesting new certificates worked ok.

Thanks, our latest knowledge base article is Let's Encrypt DST Root CA X3 expiry Sept 30th 2021 | Certify The Web Docs

The basic remedy we propose is you install the latest version of the Certify The Web app, which remove the need for you to do other certificate store maintenance, then you reboot your server to clear cached chains.

You can check your served certificate chain (which can be different to the chain that the client decides to use) using - as you know clients with out of date trust stores will continue to have issues, so if you need to you can optionally change certificate authority in the app: Certificate Authorities | Certify The Web Docs (e.g. to ZeroSSL)

Hi - thanks. Yes - we did all that, but still seemed to get the wrong chain. It puzzled us for ages - but got there in the end.