What should you do?
For most of you, nothing at all! We’ve set up our certificate issuance so your environments will do the right thing in most cases, favoring broad compatibility. However, if you are running legacy operating systems, you’ll need to make sure of two things:
(1) your host or a container must trust ISRG Root X1 (not just DST Root CA X3), and
(2) you must use OpenSSL version 1.1.0 or later. In OpenSSL 1.0.x, a quirk in certificate verification means that even clients that trust ISRG Root X1 will fail when presented with the Android-compatible certificate chain we are recommending by default.