Expired LetsEncrypt Root Certificate

Older clients/browsers are failing since our domain uses LetsEncrypt Certificate through Cloudflare and it appears the Root CA for LetsEncrypt has expired for older clients.

Please look into this issue as this is affecting many sites using LetsEncrypt

{redacted}

What is your domain?

There are two potential problems. The first is that very old devices do not trust the current Lets Encrypt root certificate. They had being relying on the old LE root, but as that as expired, and the trust store on the old devices has not been updated.

The second is that the old root is still being presented, and some clients do not deal with that as they are expected to do.

3 Likes

Our domain is ZetaMatic.com, we have a licensing server running which gets accessed by servers running Ubuntu 16.04 or Debian 8. Both these don’t recognise the Root CA any more. Is there a way to switch the CA provider from LetsEncrypt to DigiCert?

Any solutions?

That domain isn’t currently proxied by Cloudflare, so I can’t test the certs here, but here’s a similar thread:

Www is:

1 Like

We tried the Disable/Wait/Enable approach, but it kept regenerating LetsEncrypt certificate only but not DigiCert or others.

Do you know if it issued a brand new Let’s Encrypt cert?

we are having the same issue - we have tried disabling universal SSL and re-enabling but it is just giving us another Let’s encrypt one. any ideas?

1 Like

Yes it did!

@sdayman Any help on this? I am sure 100s of sites are stranded because of this issue.

From yesterday, my site Gadget Headline seems to be down sometimes or doesn’t load properly.
I have contacted cloudways and they said they’re working on it but not guaranteed when it’ll be fixed.
While launching Google Site Kit I’m getting - cURL error 35: Unknown SSL protocol error in connection to analyticsreporting.googleapis.com:443
So, it seems that let’s encrypt root certificate expiration has affected my site.

What to do now? Cloudways says it’s best to use a third-party SSL as of now until it gets fixed. They offers free let’s encrypt certificate which is activated.

So, should I just upload a new certificate on cloudways or do I need to adjust options on Cloudflare settings too?

I’m facing the same issue and a lot of websites are affected at the moment.
Older devices like Windows 7 unable to access the website
texma.in routed through cloudflare.

Problem:
R3 cert is expired.

Error

Your connection is not private
NET::ERR_CERT_DATE_INVALID

1 Like

#2269920 @MoreHelp Its been more than 2 days still waiting for a reply. Atleast let us know if you are working on a solution or do we need to find other solutions.

A reply would be greatly appreciated…

1 Like

We have the same problem with SSL certificate fully managed by CloudFlare. My site domain is https://poweredtemplate.com Please advise!

On September 30, 2021, the trust anchor used by Lets Encrypt expired along with the intermediate certificate authorities signed by this anchor.

When those root and intermediate certificates expired, no change or disruption in the TLS termination at Cloudflare’s edge is expected as those anchors are no longer in use.

The reason why some older clients may have seen an expiration warning is, because they didn’t had the updated trust anchor installed on their systems and/or didn’t switch to the new trust anchor dynamically. Therefore, they strictly adhered to the outdated trust anchor and showed an expiration warning.

Even though us switching zones to our DigiCert CA fixed this issue, we do strongly recommend to regularly update the locally installed certificate authorities in this case to prevent similar issues in the future. Most modern operating systems do this automatically.

We can change the CA via ticket or this can be done via API call as well:

https://api.cloudflare.com/#universal-ssl-settings-for-a-zone-edit-universal-ssl-settings

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/[zone_id]/ssl/universal/settings" \
     -H "X-Auth-Email: [email]" \
     -H "X-Auth-Key: Global API Key" \
     -H "Content-Type: application/json" \
     --data '{"certificate_authority":"digicert"}'
5 Likes

Is that some sort of undocumented secret setting? I only see: Enabled (true/false)

1 Like

Thanks!

This worked.

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.