Alternative certificates support doesn't seem to work or explanation is not clear

[sistoimenov]

We have some old android devices which didn't recognized the certificate produced from this tool and we noticed that the certificate doesn't contain the full chain, specifically the DST Root CA X3 certificate which is needed for android support until 2024 as stated from lets encrypt.

As stated in the --alternative parameter description by default the certificate doesn't include this part but we tried adding this parameter with different number options (we tried 0, 1, 2, 3, 4, 5) and the full chain was still not included. It is still unclear for us which number should be set so that the certificate includes DST Root CA X3 root.

We use the latest binary version for windows to generate the certificate - le64.exe v. 0.37

If I am wrong can you provide an example how to produce a certificate with the full chain so old android devices can trust it. What we need is "root certificate with issuer DST Root CA X3" > "intermediate certificate with issuer ISRG Root X1" > R3 certificate

[do-know]

The default and the alternative certs contain the issuer cert + the domain cert basically. If the device requires trusting the root as well, those can be downloaded from https://letsencrypt.org/certificates/. I hope that helps.

P.S. Also see this deprecation notice - https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/