diff --git a/core/nginx/letsencrypt.py b/core/nginx/letsencrypt.py
index d6575c11..1f7e20dc 100755
--- a/core/nginx/letsencrypt.py
+++ b/core/nginx/letsencrypt.py
@@ -31,7 +31,7 @@ command2 = [
 ]
 
 def format_for_nginx(fullchain, output):
-    """ nginx doesn't need the "compat"
+    """ We may want to strip ISRG Root X1 out
     """
     certs = []
     with open(fullchain, 'r') as pem:
@@ -42,7 +42,7 @@ def format_for_nginx(fullchain, output):
                 certs += [cert]
                 cert = ''
     with open(output, 'w') as pem:
-        for cert in certs[:-1] if len(certs)>2 else certs:
+        for cert in certs[:-1] if len(certs)>2 and os.getenv('LETSENCRYPT_SHORTCHAIN', default="False") else certs:
             pem.write(cert)
 
 # Wait for nginx to start
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 21effc52..83bc9d90 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -163,6 +163,11 @@ See the `python docs`_ for more information.
 
 .. _`python docs`: https://docs.python.org/3.6/library/logging.html#logging-levels
 
+The ``LETSENCRYPT_SHORTCHAIN`` (default: False) setting controls whether we send the ISRG Root X1 certificate in TLS handshakes. This is required for `android handsets older than 7.1.1` but slows down the performance of modern devices.
+
+.. _`android handsets older than 7.1.1`: https://community.letsencrypt.org/t/production-chain-changes/150739
+
+
 Antivirus settings
 ------------------