Perhaps you and @lukecyca have already exhausted these avenues or your energy to work around this, but I’ve also been dealing with the expiration of this root certificate today, so have amassed some knowledge about what happened, why, and how to work around it.
The first problem is that the old ‘trusted root’ certificate that signed LE’s CA expired, and the new ‘trusted root’ isn’t contained in the trust store of many older software builds. This is relatively simple to fix, just install it manually. On Debian/Ubuntu-ish distros, this should involve acquiring the certificate (from here, placing it in
/usr/local/share/ca-certificates (the filename must end in
.crt) and running
The bigger / harder problem is that the recommended certificate chain that LE issues includes a hack to support older Android release that OpenSSL prior to 1.1.0 (as found in e.g. Ubuntu 16.04) will fail to validate. Worse, I think it means that it’s impossible to make this certificate validate at all, even if installing all of its CAs manually. The solution here involves reconfiguring the ACME client on the server (e.g.
certbot) to request the shortened chain that is compatible with older OpenSSL (sacrificing support for older Android). I think that VHS maintains this server itself, so this should be feasible. To do this, select the chain with CN “ISRG Root X1”, adding
--preferred-chain "ISRG Root X1" to the
certbot command should do it.