Let's Encrypt chain update
Let’s Encrypt - one of the certificate authorities (CAs) used by Cloudflare - has announced changes in its chain of trust.1
To minimize impact, besides communicating the changes and providing recommendations early, Cloudflare will proceed as follows:
- Automatically switch to a different certificate authority the Cloudflare-managed certificates where you have not specifically chosen Let’s Encrypt.
- Notify you of Cloudflare-managed certificates that you specifically set to use Let’s Encrypt, and whether hostnames covered by these certificates are receiving requests from the impacted devices or systems.
- Start bundling Let’s Encrypt certificates uploaded to Cloudflare with the appropriate chains, as long as the bundling method is set to compatible or modern.
The first changes you might see - namely if you are still getting requests from legacy devices - will appear on September 9, 2024.
Refer to the sections below for more information on each of these actions and how they may reflect on the different certificate types.
The expiration of the cross-signed chain will primarily affect older devices, for example Android 7.0 and earlier. Systems that solely rely on the cross-signed chain, lacking the ISRG Root X1 chain in their trust store, will also be affected.
- June 2024: Cloudflare will start automatically changing the CA for managed certificates where you had not opted to use Let’s Encrypt.
- September 9, 2024: Cloudflare will stop using the cross-signed chain, both in certificate issuance and in certificate bundling.
- September 30, 2024: The cross-signed chain will expire.
Universal certificates will be automatically switched to a more compatible certificate authority (CA). You do not have to take any action to prepare for this change.
If you have specifically chosen Let’s Encrypt to issue your advanced certificates, Cloudflare will check if your domain has been impacted and will reach out to you by email.
The email will inform you which certificates are using Let’s Encrypt as their CA and whether or not their hostnames are receiving requests from clients impacted by the change.
You can also find the list of certificates that use Let’s Encrypt as the CA through the List Certificates API endpoint.
You can then manage your advanced certificates to use a different CA if you choose to do so.
For Total TLS, if you are concerned that using Let’s Encrypt might impact your visitors’ experience, go to SSL/TLS > Edge Certificates and make sure that a different certificate authority is selected in the Total TLS settings.
Cloudflare will not change Total TLS certificates automatically.
For custom certificates that use compatible or modern bundle method, and are uploaded before September 9, Cloudflare will continue to use the cross-signed chain until their expiry.
After September 9, 2024, all Let’s Encrypt certificates uploaded to Cloudflare will be bundled with the ISRG Root X1 chain, instead of the cross-signed chain.
For user-defined bundle method, Cloudflare always serve the chain that you upload.
If you upload Let’s Encrypt certificates using this method, it is recommended that certificates uploaded after September 30, 2024, do not use the cross-signed chain.
For custom hostname certificates that are specifically set to use Let’s Encrypt, no change will happen automatically.
Instead, Cloudflare will check the impact and reach out to you, as the SaaS provider, by email.
To prevent this change from impacting clients, we recommend switching the CA that you use before September 9, 2024. Refer to the options below to understand how to achieve this:
-
Use the Edit Custom Hostname ↗ endpoint to set the
certificate_authorityparameter to an empty string (""): this sets the custom hostname certificate to “default CA”, leaving the choice up to Cloudflare. Cloudflare will always attempt to issue the certificate from a more compatible CA, such as Google Trust Services ↗, and will only fall back to using Let’s Encrypt if there is a CAA record ↗ in place that blocks Google from issuing a certificate.Example API call
Terminal window curl --request PATCH \\https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_hostnames/{custom_hostname_id} \\--header "X-Auth-Email: <EMAIL>" \\--header "X-Auth-Key: <API_KEY>" \\--header "Content-Type: application/json" \\--data '{"ssl": {"method": "txt","type": "dv","certificate_authority": ""}}' -
Use the Edit Custom Hostname ↗ endpoint to set the
certificate_authorityparameter togoogle: this sets Google Trust Services as the CA for your custom hostnames.
-
Monitor inquiries from your visitors: Once Let’s Encrypt change is rolled out, it is recommended that you monitor your support channels for any inquiries related to certificate warnings or access problems.
-
Update trust store: If you control the clients that are connecting to your website or application, it is recommended that you update their trust store to include the self-signed ISRG Root X1 chain to prevent impact.
Let’s Encrypt has been issuing RSA certificates through two chains: the self-signed ISRG Root X1 chain, and the ISRG Root X1 chain cross-signed by IdenTrust’s DST Root CA X3.
As explained in the Let’s Encrypt announcement ↗, the cross-signed chain has allowed their certificates to be widely trusted, while the self-signed chain gradually developed compatibility with various devices.
As of late 2023, the number of Android devices trusting the self-signed ISRG Root X1 reached 93.9%, and Let’s Encrypt has decided to drop the cross-signed chain.
-
As the IdenTrust cross-sign (DST Root CA X3) expires on September 30, 2024, the self-signed ISRG Root X1 will be the only chain used for RSA certificates issued through Let’s Encrypt. Refer to Background or our blog ↗ for details. ↩