Let's Encrypt has been using a cross-signed intermediate CA by DST Root CA X3, which is included in any older devices' TrustStore.

https://letsencrypt.org/certificates/

Let's Encrypt is transitioning to use the intermediate CA issued by their own root (ISRG X1) starting from September 29th 2020. This is in preparation of concluding the initial bootstrapping of their CA, by having it cross-signed by an older CA.
https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html

This PR allows Lemur to pin to the cross-signed ICA (same public/private key pair as the ICA signed by ISRG X1). This will prolong support for incompatible systems.

lemur/plugins/lemur_acme/plugin.py

@@ -205,9 +205,15 @@ class AcmeHandler(object):
                 OpenSSL.crypto.FILETYPE_PEM, orderr.fullchain_pem
             ),
         ).decode()
-        pem_certificate_chain = orderr.fullchain_pem[
+
-            len(pem_certificate) :  # noqa
+        if current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA", False) \
-        ].lstrip()
+                and datetime.datetime.now() < datetime.datetime.strptime(
+                    current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA_EXPIRATION_DATE", "17/03/21"), '%d/%m/%y'):
+            pem_certificate_chain = current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA")
+        else:
+            pem_certificate_chain = orderr.fullchain_pem[
+                len(pem_certificate) :  # noqa
+            ].lstrip()
 
         current_app.logger.debug(
             "{0} {1}".format(type(pem_certificate), type(pem_certificate_chain))