diff --git a/assets/root-certificates/letsencrypt/isrgrootx1.der b/assets/root-certificates/letsencrypt/isrgrootx1.der
new file mode 100644
index 000000000..9d2132e7f
Binary files /dev/null and b/assets/root-certificates/letsencrypt/isrgrootx1.der differ
diff --git a/src/login_param.rs b/src/login_param.rs
index c02a20978..560c8306e 100644
--- a/src/login_param.rs
+++ b/src/login_param.rs
@@ -11,8 +11,10 @@ use anyhow::Result;
 use async_std::io;
 use async_std::net::TcpStream;
 
+use async_native_tls::Certificate;
 pub use async_smtp::ServerAddress;
 use fast_socks5::client::Socks5Stream;
+use once_cell::sync::Lazy;
 
 #[derive(Copy, Clone, Debug, Display, FromPrimitive, PartialEq, Eq)]
 #[repr(u32)]
@@ -368,8 +370,18 @@ fn get_readable_flags(flags: i32) -> String {
     res
 }
 
+// this certificate is missing on older android devices (eg. lg with android6 from 2017)
+// certificate downloaded from https://letsencrypt.org/certificates/
+static LETSENCRYPT_ROOT: Lazy<Certificate> = Lazy::new(|| {
+    Certificate::from_der(include_bytes!(
+        "../assets/root-certificates/letsencrypt/isrgrootx1.der"
+    ))
+    .unwrap()
+});
+
 pub fn dc_build_tls(strict_tls: bool) -> async_native_tls::TlsConnector {
-    let tls_builder = async_native_tls::TlsConnector::new();
+    let tls_builder =
+        async_native_tls::TlsConnector::new().add_root_certificate(LETSENCRYPT_ROOT.clone());
 
     if strict_tls {
         tls_builder
@@ -430,4 +442,13 @@ mod tests {
         assert_eq!(param, loaded);
         Ok(())
     }
+
+    #[async_std::test]
+    async fn test_build_tls() -> Result<()> {
+        // we are using some additional root certificates.
+        // make sure, they do not break construction of TlsConnector
+        let _ = dc_build_tls(true);
+        let _ = dc_build_tls(false);
+        Ok(())
+    }
 }