Clarification about email "Upcoming Let's Encrypt certificate chain change"

I recently got an email with the subject “Upcoming Let’s Encrypt certificate chain change” and I and just trying to be absolutely sure I understand what it means and what is happening.

I’m not an expert on these certs, but I think I understand that the base certificate authority isn’t changing, only some possible ways for for you to verify it.

My problem is I have some IOT devices that have only a couple hard coded CAs (we are working on fixing that, but don’t have a timeline) and I need to be sure that the CA they are referencing is still good

The certificate they used to validate these requests is this one “ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1” that is specified on this page: Chain of Trust - Let's Encrypt

Just for my sanity can someone confirm that that certificate authority will continue to be valid after this change?


I was thinking if I was missing all the interesting emails :thinking:

But seems like it is about this one:

If you are already validating against “ISGR Root X1”, and that works fine, then you shouldn’t see any problems.

It should only affect devices that are depending on "“DST Root CA X3”.


Hi, what if I’m validating against ISRG Root X2.
Will that affected my sites too?
Since the notice didn’t mention anything about ISRG Root X2.
So, I’m a but confuse here.

May have been a bit quick on the keyboard, as it seems like I actually received the email as well, this morning…

That should be the exact same as above.

If you’re relying on older devices, that does not trust “ISGR Root X1” nor “ISGR Root X2”, and only have "“DST Root CA X3” in their trust store, it may cause problems for these devices.

OR, if you somehow have some certificate pinning in your applications, that are making the certificates depend on the validity of "“DST Root CA X3”, it will likely fail at that timestamp, if you’re not doing anything to mitigate before then.

In other words:

The way the two of you explain your concerns, it sounds like you are NOT depending on the "“DST Root CA X3” at all, and as such, it should not cause any problems for any of you.

However, none of the two of you have shared the actual source code from the application(s), that takes care of the certificate validation, or otherwise provided any references to to the source code (e.g. links to Git repositories), - so it would be tough for the Cloudflare Community (or anyone else), to give a definitive yes / no, based on that specific “lack of information”.

I have seen a lot of people in the past, believing they were doing something, but in reality, it turned out they were not actually doing the things exact as they expected.

Based solely on the explanations, that the two of you have provided above, it should not cause any problems for any of you.

I understand the confusion, especially as the mail I received earlier today, from Cloudflare, started the subject with "[Cloudflare - Action Required] ".

As that may not always be true that action is actually required, a better option for the start of the subject line could eventually have been “[Cloudflare - Action MAY BE Required]”.


This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.