diff --git a/README.md b/README.md
index 7ff3f92..31772d0 100644
--- a/README.md
+++ b/README.md
@@ -44,3 +44,14 @@ Install cookbooks listed in Berksfile:
 Vendor installed cookbooks to the `cookbooks/` dir:
 
     berks vendor cookbooks/ --delete
+
+### "Expired" TLS certificates
+
+If you encounter expired TLS certificates during a Chef run (e.g. for remote
+files), the issue is likely that the certificate has been issued by Let's
+Encrypt and Chef is still using its own, outdated CA cert store (see
+[here](https://github.com/chef/chef/issues/12126#issuecomment-932067530) for
+example).
+
+As a hotfix, you can manually remove the "DST Root CA X3" cert from
+`/opt/chef/embedded/ssl/cert.pem` on the machine you're trying to converge.