We have some customers complaining they are receiving the expired DST X3 certificate and this is causing TLS sessions to fail to setup. I’ve seen posts from last year indicating this was a problem. Is Cloudflare still having this issue?
What edge certificates do you have issued under SSL/TLS?
As I’m guessing you are aware, this is likely related to DST Root CA X3 Expiration (September 2021) - Let's Encrypt. It’s not an issue with Cloudflare specifically but with older devices that have not updated their root certificate store.
If you have to support these devices then you should be able to change the CA used by Cloudflare if it’s currently using Let’s Encrypt. This can be done using the API and is explained here:
Main thing to note that will be different to last year is that Cloudflare have deprecated Digicert as a CA so I would recommend trying Google if you can - Certificate authorities · Cloudflare SSL/TLS docs.
Good morning, so yes we’re aware of the expiration of the X3 root, but interestingly we do not see the X3 certificate in the Certificate offer when viewing a packet capture.
We switched to Google this morning, waiting for the change to take effect. Currently, a curl/openssl check shows the LE cert is still in place. I’m unsure how long it takes for the new cert to percolate out to Cloudflare POPs.
The problem began when we moved an API workload to a Cloudflare worker last week, and now all of a sudden some customers are getting expired cert warnings. But, not all customers.
What’s incredibly odd about this problem is we were having zero issues with the LE certs when we had the workload hosted in a cloud provider, and the DNS records were proxied by Cloudflare. The certs presented by CF, in that case, were the LE certs issued from the R3 path just as it is now.
The issue isn’t your cert it is the trust anchor on the client machine used to validate a Let’s Encrypt certificate.
They don’t have the DST X3 present. They only have the E1, X1, and X2 CAs
As requested by another party, here is the ticket number. 2600915
I don’t understand Cloudflare’s support. If a customer opens an urgent-level ticket, they’re just cool not replying to it? It’s been almost 24 hours with zero activity.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.