Let's Encrypt issues RSA certificates through two CA chains: the ISRG Root X1 chain and the ISRG Root X1 chain cross-signed by IdenTrust's vDST Root CA X3. The cross-signed chain ensures a high level of trust in Let's Encrypt certificates from the start.
In parallel, the default ISRG Root X1 CA has made its way into most trust stores over the years: the number of Android devices trusting ISRG Root X1 has grown from 66% to 93.9%. Now the time has come: the cross-signed chain will expire on September 30, 2024. ECDSA certificates issued through Let's Encrypt are not affected.
The expiry of the cross-signed chain will primarily affect older devices (e.g. Android 7.0 (2016) and older) and systems that rely solely on the cross-signed chain and do not have the ISRG Root X1 chain in their trust store. From this point on, certificate validation will fail on these devices. It is therefore time to check the Root CA in use and the age of the clients.