March 15 2024

Upcoming changes to the Let's Encrypt certificate chain and their impact for Cloudflare customers

Let's Encrypt changes certificate chain: Impact and actions for Cloudflare users on incompatible legacy devices.

Let's Encrypt, a publicly trusted certificate authority (CA) used by Cloudflare to issue TLS certificates, relied on two distinct certificate chains. One was cross-signed with IdenTrust, a global trusted CA that has been around since 2000, and the other was Let's Encrypt's own root CA, ISRG Root X1. Since the launch of Let's Encrypt, ISRG Root X1 has progressively gained greater device compatibility.

On September 30, 2024, the Let's Encrypt certificate chain cross-signed with IdenTrust will expire. To proactively prepare for this change, on May 15, 2024, Cloudflare will stop issuing certificates from the cross-signed chain and will instead use Let's Encrypt's ISRG Root X1 chain for all future certificates.

The change in the certificate chain will affect legacy devices and systems, such as Android devices in version 7.1.1 or earlier, as these rely exclusively on the cross-signed chain and do not have the ISRG X1 root in their trust store. These customers may encounter TLS errors or warnings when accessing domains protected by a Let's Encrypt certificate.

According to Let's Encrypt, more than 93,9% of Android devices already trust ISRG Root X1, and this number is expected to increase in 2024, especially with the release of Android version 14, which makes the Android trust store easily and automatically upgradeable.

From the data analysis, we found that, of all Android requests, 2,96% come from devices that will be affected by the change. Additionally, only 1,13% of all requests from Firefox come from affected versions, meaning that the majority (98,87%) of requests from Android versions using Firefox will not be impacted.

Preparation for change

If you're worried that the change will affect your customers, there are some things you can do to reduce the impact of the change. If you control clients connecting to your application, we recommend updating the trust store to include ISRG Root X1. If you use certificate pinning, remove or update your pin. In general, we discourage all customers from pinning their certificates, as this usually leads to problems during certificate renewals or CA changes.

Certificate pinning, also known as HTTP Public Key Pinning (HPKP), is a security technique that allows websites to associate specific certificates or public keys with their domain, thus preventing man-in-the-middle attacks caused by fraudulent certificates. This process allows customers to verify whether the certificate presented by the server during a TLS/SSL connection is indeed among those that the site owner has designated as trusted. If the certificate or public key does not match the “pinned” ones, the connection is rejected, increasing security against certificate authority compromises or improper certificate issuance.

While this change will affect a small portion of customers, we support the transition Let's Encrypt is making as it supports a more secure and agile Internet.

Embrace change to move towards a better Internet

Looking back, there have been numerous challenges that have slowed the adoption of new technologies and standards that have helped make the Internet faster, more secure, and more reliable.

Before Cloudflare launched Universal SSL, free certificates were not available. Instead, domain owners had to pay around $100 to get a TLS certificate. For a small business, this is a significant cost and without browser enforcement of TLS, this has significantly hindered TLS adoption for years. Insecure algorithms took decades to be deprecated due to lack of support for new algorithms in browsers or devices. We learned this lesson by deprecating SHA-1.

Supporting new security standards and protocols is vital to continuing to improve the Internet. Over the years, big and sometimes risky changes have been made to keep us moving forward. The launch of Let's Encrypt in 2015 was monumental. Let's Encrypt has allowed every domain to obtain a TLS certificate for free, paving the way for a more secure Internet, with around 98% of traffic now using HTTPS.

In 2014, Cloudflare launched Elliptic Curve Digital Signature Algorithm (ECDSA) support for Cloudflare-issued certificates and decided to issue ECDSA-only certificates to free customers. This increased adoption of ECDSA by pushing customers and web operators to make changes to support the new algorithm, which provided the same (if not better) security as RSA while also improving performance. In addition, modern browsers and operating systems are now built to constantly support new standards, so they can deprecate old ones.

To move forward in supporting new standards and protocols, we need to make the Public Key Infrastructure (PKI) ecosystem more agile. By retiring the cross-signed chain, Let's Encrypt is pushing devices, browsers and customers to support adaptable trust stores. This allows customers to support new standards without causing radical change. It also lays the groundwork for new certificate authorities to emerge.

Today, one of the main reasons why the number of available CAs is limited is that it takes years for them to become widely trusted, that is, without cross-signing with another CA. In 2017, Google launched a new public trust CA, Google Trust Services, which issued free TLS certificates. Even though they launched a few years after Let's Encrypt, they faced the same device compatibility and adoption challenges, which led them to cross-sign with GlobalSign's CA. We hope that by the time GlobalSign's CA expires, almost all traffic will be coming from a modern client and browser, meaning the impact of the change should be minimal.

Do you have doubts? Don't know where to start? Contact us!

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.

0256569681

Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.

INFORMATION

Managed Server Srl is a leading Italian player in providing advanced GNU/Linux system solutions oriented towards high performance. With a low-cost and predictable subscription model, we ensure that our customers have access to advanced technologies in hosting, dedicated servers and cloud services. In addition to this, we offer systems consultancy on Linux systems and specialized maintenance in DBMS, IT Security, Cloud and much more. We stand out for our expertise in hosting leading Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Joomla, OpenCart and Magento, supported by a high-level support and consultancy service suitable for Public Administration, SMEs and any size.

Red Hat, Inc. owns the rights to Red Hat®, RHEL®, RedHat Linux®, and CentOS®; AlmaLinux™ is a trademark of AlmaLinux OS Foundation; Rocky Linux® is a registered trademark of the Rocky Linux Foundation; SUSE® is a registered trademark of SUSE LLC; Canonical Ltd. owns the rights to Ubuntu®; Software in the Public Interest, Inc. holds the rights to Debian®; Linus Torvalds owns the rights to Linux®; FreeBSD® is a registered trademark of The FreeBSD Foundation; NetBSD® is a registered trademark of The NetBSD Foundation; OpenBSD® is a registered trademark of Theo de Raadt. Oracle Corporation owns the rights to Oracle®, MySQL®, and MyRocks®; Percona® is a registered trademark of Percona LLC; MariaDB® is a registered trademark of MariaDB Corporation Ab; REDIS® is a registered trademark of Redis Labs Ltd. F5 Networks, Inc. owns the rights to NGINX® and NGINX Plus®; Varnish® is a registered trademark of Varnish Software AB. Adobe Inc. holds the rights to Magento®; PrestaShop® is a registered trademark of PrestaShop SA; OpenCart® is a registered trademark of OpenCart Limited. Automattic Inc. owns the rights to WordPress®, WooCommerce®, and JetPack®; Open Source Matters, Inc. owns the rights to Joomla®; Dries Buytaert holds the rights to Drupal®. Amazon Web Services, Inc. holds the rights to AWS®; Google LLC holds the rights to Google Cloud™ and Chrome™; Facebook, Inc. owns the rights to Facebook®; Microsoft Corporation holds the rights to Microsoft®, Azure®, and Internet Explorer®; Mozilla Foundation owns the rights to Firefox®. Apache® is a registered trademark of The Apache Software Foundation; PHP® is a registered trademark of the PHP Group. CloudFlare® is a registered trademark of Cloudflare, Inc.; NETSCOUT® is a registered trademark of NETSCOUT Systems Inc.; ElasticSearch®, LogStash®, and Kibana® are registered trademarks of Elastic NV This site is not affiliated, sponsored, or otherwise associated with any of the entities mentioned above and does not represent any of these entities in any way. All rights to the brands and product names mentioned are the property of their respective copyright holders. Any other trademarks mentioned belong to their registrants. MANAGED SERVER® is a registered trademark at European level by MANAGED SERVER SRL Via Enzo Ferrari, 9 62012 Civitanova Marche (MC) Italy.

Back to top