Upcoming Let’s Encrypt certificate chain change and impact for Cloudflare customers

Dina Kozlov
5 min readadvanced
--
View Original

Overview

The article discusses an upcoming change in the Let’s Encrypt certificate chain that will affect Cloudflare customers, particularly those using legacy devices. It highlights the transition from a cross-signed certificate chain with IdenTrust to the ISRG Root X1 chain, emphasizing the implications for device compatibility and the proactive measures Cloudflare is taking to mitigate potential issues.

What You'll Learn

1

How to prepare for the Let’s Encrypt certificate chain change

2

Why updating the trust store to include ISRG Root X1 is essential

3

When to consider switching to Google Trust Services as a certificate authority

Prerequisites & Requirements

  • Understanding of TLS certificates and certificate authorities
  • Access to client applications that connect to your service(optional)

Key Questions Answered

What will happen to the Let’s Encrypt cross-signed certificate chain?
The Let’s Encrypt cross-signed certificate chain with IdenTrust will expire on September 30, 2024. Cloudflare will stop issuing certificates from this chain on May 15, 2024, transitioning to the ISRG Root X1 chain for all future certificates. This change will primarily affect legacy devices that do not trust the ISRG Root X1.
How many Android devices will be affected by the Let’s Encrypt change?
Approximately 2.96% of all Android requests come from devices that will be affected by the change, specifically those running Android version 7.1.1 or older. However, more than 93.9% of Android devices already trust the ISRG Root X1.
What should clients do to mitigate issues from the certificate chain change?
Clients should update their trust store to include the ISRG Root X1 certificate. Additionally, if using certificate pinning, it is recommended to remove or update the pin to avoid issues during certificate renewals or CA changes.
What alternative can Cloudflare Enterprise customers use if they face issues?
Cloudflare Enterprise customers using Advanced Certificate Manager or SSL for SaaS can switch their certificate authority to Google Trust Services if they experience issues with the Let’s Encrypt chain change.

Key Statistics & Figures

Percentage of Android devices trusting ISRG Root X1
93.9%
This statistic indicates the growing compatibility of the ISRG Root X1 among Android devices.
Percentage of Android requests from affected devices
2.96%
This shows the relatively small impact on overall Android traffic due to the certificate chain change.
Percentage of Firefox requests from affected versions
1.13%
This indicates that the majority of Firefox users will not be impacted by the change.

Technologies & Tools

Certificate Authority
Let’s Encrypt
Used to issue TLS certificates for secure communications.
Certificate Authority
Google Trust Services
An alternative certificate authority for Cloudflare Enterprise customers.

Key Actionable Insights

1
Update your client applications' trust stores to include the ISRG Root X1 certificate before May 15, 2024.
This proactive measure will help ensure that clients do not encounter TLS errors or warnings when accessing domains secured by Let’s Encrypt certificates after the transition.
2
Consider removing certificate pinning from your applications to avoid complications during certificate renewals.
Certificate pinning can lead to issues when the certificate authority changes, so it's advisable to avoid pinning unless absolutely necessary.
3
Monitor the adoption rates of Android 14 and its impact on device compatibility with ISRG Root X1.
As Android 14 is expected to increase the percentage of devices that trust the ISRG Root X1, staying informed will help in planning for future transitions.

Common Pitfalls

1
Failing to update the trust store can lead to TLS errors for clients using legacy devices.
Legacy devices may not trust the ISRG Root X1, resulting in access issues. Updating the trust store is crucial to maintaining secure connections.

Related Concepts

TLS Certificates
Certificate Authorities
Public Key Infrastructure (pki)
Device Compatibility With Security Standards