Upcoming Let’s Encrypt Certificate Chain Change


We are posting this article to inform clients about an upcoming change that will impact the device compatibility of Let’s Encrypt certificates issued after 2024-05-15.


CHANGE OVERVIEW

Let’s Encrypt issues certificates through two chains: the ISRG Root X1 chain and the ISRG Root X1 chain cross-signed by IdenTrust’s DST Root CA X3. The cross-signed chain has allowed Let’s Encrypt certificates to become widely trusted, while the pure chain developed compatibility with various devices over the last 3 years, growing the number of Android devices trusting ISRG Root X1 from 66% to 93.9%.


IMPACT

The expiration of the cross-signed chain will primarily affect older devices (e.g. Android 7.0 and earlier) and systems that solely rely on the cross-signed chain and lack the ISRG Root X1 chain in their trust store.
This change could result in certificate validation failures on these devices, potentially leading to warning messages or access problems for users visiting your website. 


IMPORTANT DATES

2024-06-06: Let’s Encrypt will stop providing the longer cross-signed chain entirely. This is just over 90 days (the lifetime of one certificate) before the cross-sign expires, and we need to make sure subscribers have had at least one full issuance cycle to migrate off of the cross-signed chain.

2024-09-30: The cross-signed certificate will expire. This should be a non-event for most people, as any client breakages should have occurred over the preceding six months.


RECOMMENDATIONS

To reduce the impact of this change, we recommend taking the following steps: 

  1. Change CAs: If your customers are making requests to your application from legacy devices and you expect that this change will impact them, then we recommend using a different certificate authority or uploading a certificate from the CA of your choice.
  2. Monitoring: Once the change is rolled out, we recommend monitoring your support channels for any inquiries related to certificate warnings or access problems.
  3. Update Trust Store: If you control the clients that are connecting to your application, we recommend upgrading the trust store to include the ISRG Root X1 chain to prevent impact. 

If you are a Managed VPS client, and have additional questions or concerns, please reach out to the SysOp Team.


Did you found this Knowledge Base Article useful?

Please considering thanking our SysOp Team.


KB Article Created: 2024-03-14
KB Article Updated: 2024-03-22

people found this article helpful. What about you?