Update TLS.md

document Let's Encrypt certificate changes

docs/TLS.md

@@ -5,12 +5,15 @@
 Starting with version 10.0.0.4, TLS now support dual mode, depending of the value of `SetOption132`:
 
 - `SetOption132 0` (default): the server's identity is checked against pre-defined Certificate Authorities. There is no further configuration needed. Tasmota includes the following CAs:
-  - [LetsEncrypt R3 certificate](https://letsencrypt.org/certificates/), RSA 2048 bits SHA 256, valid until 20250915
+  - (starting with 13.4.1.2) [LetsEncrypt X1 CA certificate](https://letsencrypt.org/certificates/), RSA 4096 bits, valid until 20300604
+  - (previously) [LetsEncrypt R3 certificate](https://letsencrypt.org/certificates/), RSA 2048 bits SHA 256, valid until 20250915
   - [Amazon Root CA](https://www.amazontrust.com/repository/), RSA 2048 bits SHA 256, valid until 20380117, used by AWS IoT
 - `SetOption132 1`: Fingerprint validation. This method works for any server certificate, including self-signed certificates. The server's public key is hashed into a fingerprint and compared to a pre-recorded value. This method is more universal but requires an additional configuration (see below)
 
 There is no performance difference between both modes.
 
+Because of [changes](https://letsencrypt.org/2024/04/12/changes-to-issuance-chains) in the Let's Encrypt certificate chain, Tasmota needs to be updated to at least version 13.4.1.2 to validate certificates generated by Let's Encrypt after June 6th 2024.
+
 ## Fingerprint Validation
 
 The fingerprint is now calculated on the server's Public Key and no longer on its Certificate. The good news is that Public Keys tend to change far less often than certificates, i.e. LetsEncrypt triggers a certificate renewal every 3 months, the Public Key fingerprint will not change after a certificate renewal. The bad news is that there is no `openssl` command to retrieve the server's Public Key fingerprint.