Expired "Let's Encrypt" certificate on old Firefox
Solution 1:
It should be enough to install the stand-alone ISRG Root X1
certificate (as opposed to the cross-signed version). Your version of Firefox supports multiple validation paths and will recognize that this is the same X1 in both cases. (Same situation as this post, for example.)
Use another browser to download the "Self-signed" ISRG Root X1 from letsencrypt.org, then go to Options → Advanced → Certificates → View Certificates → Authorities. Click "Import", select the downloaded .der or .pem file, and mark it as trusted for verifying websites.
(Alternatively, use the 'certutil' tool that comes with NSS; see certutil -H -A
.)
This isn't guaranteed to work with all Firefox and Mozilla versions ever released (in particular Firefox 31 got a brand new "mozilla::pkix" certificate validation module), but in my testing, even Firefox 24.7 accepts the installed ISRG root for websites that still send the DST cross-signed one. (Older versions don't even support TLS 1.2, so I did not test further.)