diff -Nru lecm-0.0.7/CHANGELOG.md lecm-0.0.9/CHANGELOG.md
--- lecm-0.0.7/CHANGELOG.md	2016-11-18 11:36:44.000000000 +0000
+++ lecm-0.0.9/CHANGELOG.md	2021-01-12 11:05:57.000000000 +0000
@@ -1,5 +1,14 @@
 # Change Log
 
+## [0.0.9](https://github.com/Spredzy/lecm/tree/0.0.9) (2021-01-12)
+
+[Full Changelog](https://github.com/Spredzy/lecm/compare/0.0.7...0.0.9)
+
+**Merged pull requests:**
+
+- Get the intermediate certificate whenever needed [\#64](https://github.com/Spredzy/lecm/pull/64) ([fcharlier](https://github.com/fcharlier))
+- Certificate: Roll-out from X3 intermediate to R3 [\#63](https://github.com/Spredzy/lecm/pull/63) ([sbadia](https://github.com/sbadia))
+
 ## [0.0.7](https://github.com/Spredzy/lecm/tree/0.0.7) (2016-11-18)
 
 [Full Changelog](https://github.com/Spredzy/lecm/compare/0.0.6...0.0.7)
diff -Nru lecm-0.0.7/contrib/packaging/rpm/lecm.spec lecm-0.0.9/contrib/packaging/rpm/lecm.spec
--- lecm-0.0.7/contrib/packaging/rpm/lecm.spec	2016-11-18 11:36:44.000000000 +0000
+++ lecm-0.0.9/contrib/packaging/rpm/lecm.spec	2021-01-12 11:05:57.000000000 +0000
@@ -1,13 +1,13 @@
 %global srcname lecm
 
 Name:           %{srcname}
-Version:        0.0.7
+Version:        0.0.9
 Release:        1%{?dist}
 
 Summary:        Let's Encrypt Certificate Manager
 License:        ASL 2.0
-URL:            http://pypi.io/pypi/%{srcname}
-Source0:        http://pypi.io/packages/source/l/%{srcname}/%{srcname}-%{version}.tar.gz
+URL:            https://pypi.io/pypi/%{srcname}
+Source0:        https://pypi.io/packages/source/l/%{srcname}/%{srcname}-%{version}.tar.gz
 Source1:        lecm.cron
 Source2:        lecm.1.gz
 
@@ -55,6 +55,7 @@
 
 %files
 %doc README.rst
+%license LICENSE
 %{python3_sitelib}/%{srcname}
 %{python3_sitelib}/*.egg-info
 %{_bindir}/%{srcname}
@@ -63,6 +64,10 @@
 %config(noreplace) %{_sysconfdir}/cron.d/%{srcname}
 
 %changelog
+* Tue Jan 12 2021 Yanis Guenane <yguenane@redhat.com> 0.0.9-1
+- Certificate: Roll-out from X3 intermediate to R3
+- Get the intermediate certificate whenever needed
+
 * Fri Nov 18 2016 Yanis Guenane <yguenane@redhat.com> 0.0.7-1
 - Service reload: Optimize the way services are reloaded #52
 - Display a flag showing if conf and cert are in sync #51
diff -Nru lecm-0.0.7/debian/changelog lecm-0.0.9/debian/changelog
--- lecm-0.0.7/debian/changelog	2019-09-29 10:36:01.000000000 +0000
+++ lecm-0.0.9/debian/changelog	2021-01-26 15:40:55.000000000 +0000
@@ -1,3 +1,15 @@
+lecm (0.0.9-1) unstable; urgency=medium
+
+  * New upstream version 0.0.9
+  * d/watch: Bump watch-file-standard
+  * d/control:
+    + Bump debhelper compat to 13
+    + Bump Standards-Versions to 4.5.1 (no changes)
+    + Fix lintian odd-mark-in-description
+  * d/upstream: Fix lintian missing-bug-tracking
+
+ -- Sebastien Badia <sbadia@debian.org>  Tue, 26 Jan 2021 16:40:55 +0100
+
 lecm (0.0.7-3) unstable; urgency=medium
 
   * d/control:
diff -Nru lecm-0.0.7/debian/control lecm-0.0.9/debian/control
--- lecm-0.0.7/debian/control	2019-09-29 10:36:01.000000000 +0000
+++ lecm-0.0.9/debian/control	2021-01-26 15:40:55.000000000 +0000
@@ -4,7 +4,7 @@
 Maintainer: Debian Let's Encrypt Team <team+letsencrypt@tracker.debian.org>
 Uploaders: Sebastien Badia <sbadia@debian.org>
 Build-Depends: acme-tiny,
-               debhelper-compat (= 12),
+               debhelper-compat (= 13),
                dh-python,
                pandoc,
                python3-all,
@@ -14,7 +14,7 @@
                python3-requests,
                python3-setuptools,
                python3-yaml
-Standards-Version: 4.4.0
+Standards-Version: 4.5.1
 Rules-Requires-Root: no
 Vcs-Browser: https://salsa.debian.org/letsencrypt-team/lecm
 Vcs-Git: https://salsa.debian.org/letsencrypt-team/lecm.git
@@ -37,5 +37,5 @@
  certificates according to a threshold; during the renewal operations
  lecm is also able to restart the web server.
  .
- lecm take a yaml style configuration (default to /etc/lecm.conf),parameter can
- be declared for all managed certificates or individually.
+ lecm take a yaml style configuration (default to /etc/lecm.conf), parameter
+ can be declared for all managed certificates or individually.
diff -Nru lecm-0.0.7/debian/upstream/metadata lecm-0.0.9/debian/upstream/metadata
--- lecm-0.0.7/debian/upstream/metadata	2019-09-29 10:36:01.000000000 +0000
+++ lecm-0.0.9/debian/upstream/metadata	2021-01-26 15:40:55.000000000 +0000
@@ -1,4 +1,8 @@
 ---
+Archive: GitHub
+Bug-Database: https://github.com/spredzy/lecm/issues
+Bug-Submit: https://github.com/spredzy/lecm/issues
+Changelog: https://github.com/spredzy/lecm/tags
 Name: lecm
 Repository: https://github.com/spredzy/lecm.git
 Repository-Browse: https://github.com/spredzy/lecm
diff -Nru lecm-0.0.7/debian/watch lecm-0.0.9/debian/watch
--- lecm-0.0.7/debian/watch	2019-09-29 10:36:01.000000000 +0000
+++ lecm-0.0.9/debian/watch	2021-01-26 15:40:55.000000000 +0000
@@ -1,3 +1,3 @@
-version=3
+version=4
 opts=filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/lecm-$1\.tar\.gz/ \
   https://github.com/Spredzy/lecm/tags .*/v?(\d\S*)\.tar\.gz
diff -Nru lecm-0.0.7/lecm/certificate.py lecm-0.0.9/lecm/certificate.py
--- lecm-0.0.7/lecm/certificate.py	2016-11-18 11:36:44.000000000 +0000
+++ lecm-0.0.9/lecm/certificate.py	2021-01-12 11:05:57.000000000 +0000
@@ -26,7 +26,7 @@
 LOG = logging.getLogger(__name__)
 
 _INTERMEDIATE_CERTIFICATE_URL = \
-    'https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem'
+    'https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem'
 
 _STAGING_URL = \
     'https://acme-staging.api.letsencrypt.org'
@@ -105,14 +105,15 @@
                 utils.enforce_selinux_context(self.path)
 
     def _get_intermediate_certificate(self):
-        certificate = requests.get(_INTERMEDIATE_CERTIFICATE_URL).text
         certificate_name = os.path.basename(_INTERMEDIATE_CERTIFICATE_URL)
-
-        LOG.info('[global] Getting intermediate certificate PEM file: %s' %
-                 certificate_name)
         if not os.path.exists('%s/pem/%s' % (self.path, certificate_name)):
-            with open('%s/pem/%s' % (self.path, certificate_name), 'w') as f:
-                f.write(certificate)
+            certificate = requests.get(_INTERMEDIATE_CERTIFICATE_URL).text
+
+            LOG.info('[global] Getting intermediate certificate PEM file: %s' %
+                     certificate_name)
+            if not os.path.exists('%s/pem/%s' % (self.path, certificate_name)):
+                with open('%s/pem/%s' % (self.path, certificate_name), 'w') as f:
+                    f.write(certificate)
 
     def _create_account_key(self):
         account_key = crypto.PKey()
@@ -257,6 +258,7 @@
 
             LOG.debug('[%s] Concatenating certificate with intermediate pem: \
                       %s/pem/%s.pem' % (self.name, self.path, self.name))
+            self._get_intermediate_certificate()
             pem_filename = os.path.basename(_INTERMEDIATE_CERTIFICATE_URL)
             filenames = ['%s/certs/%s.crt' % (self.path, self.name),
                          '%s/pem/%s' % (self.path, pem_filename)]
@@ -287,10 +289,6 @@
 
         self._create_filesystem()
 
-        certificate_name = os.path.basename(_INTERMEDIATE_CERTIFICATE_URL)
-        if not os.path.exists('%s/pem/%s' % (self.path, certificate_name)):
-            self._get_intermediate_certificate()
-
         # Ensure there is no left-over from previous setup
         #
         try:
diff -Nru lecm-0.0.7/lecm/utils.py lecm-0.0.9/lecm/utils.py
--- lecm-0.0.7/lecm/utils.py	2016-11-18 11:36:44.000000000 +0000
+++ lecm-0.0.9/lecm/utils.py	2021-01-12 11:05:57.000000000 +0000
@@ -126,7 +126,7 @@
 
     if cur_environment != certificate.get('environment', 'production') or \
         cur_subjectaltname != \
-            'DNS:%s' % ', DNS:'.join(cert_san):
+            'DNS:%s' % ', DNS:'.join(sorted(cert_san)):
         return False
 
     return True
diff -Nru lecm-0.0.7/lecm/version.py lecm-0.0.9/lecm/version.py
--- lecm-0.0.7/lecm/version.py	2016-11-18 11:36:44.000000000 +0000
+++ lecm-0.0.9/lecm/version.py	2021-01-12 11:05:57.000000000 +0000
@@ -1 +1 @@
-__version__ = '0.0.7'
+__version__ = '0.0.9'
diff -Nru lecm-0.0.7/MANIFEST.in lecm-0.0.9/MANIFEST.in
--- lecm-0.0.7/MANIFEST.in	2016-11-18 11:36:44.000000000 +0000
+++ lecm-0.0.9/MANIFEST.in	2021-01-12 11:05:57.000000000 +0000
@@ -1,3 +1,4 @@
 include README.rst
+include LICENSE
 include requirements.txt
 include sample/*.conf
diff -Nru lecm-0.0.7/README.rst lecm-0.0.9/README.rst
--- lecm-0.0.7/README.rst	2016-11-18 11:36:44.000000000 +0000
+++ lecm-0.0.9/README.rst	2021-01-12 11:05:57.000000000 +0000
@@ -59,7 +59,7 @@
 ^^^^^^^^^^^
 
 ``lecm --renew`` will renew SSL certificates already present on the filesystem
-if its expiry date is lower than the ``remainin_days`` value.
+if its expiry date is lower than the ``remaining_days`` value.
 
 
 ``--force``
@@ -168,7 +168,10 @@
 ---------------
 
 ``lecm`` does not configure the webservers, they have to be previously
-configured to be able to answer the challenges.
+configured to be able to answer the challenges. NOTE: Let's
+Encrypt will perform a plain HTTP request to port 80 on your server, so you
+must serve the challenge files via HTTP. See the HTTP Challenge section
+of the `ACME specification`_ for more details.
 
 httpd
 ^^^^^
@@ -203,3 +206,4 @@
 
 .. _Let's Encrypt: https://letsencrypt.org/
 .. _official Debian package for lecm: https://tracker.debian.org/pkg/lecm
+.. _ACME specification: https://tools.ietf.org/html/draft-ietf-acme-acme-07#section-8.3