On September 30, 2021, the trust anchor used by Lets Encrypt expired along with the intermediate certificate authorities signed by this anchor.
When those root and intermediate certificates expired, no change or disruption in the TLS termination at Cloudflare’s edge is expected as those anchors are no longer in use.
The reason why some older clients may have seen an expiration warning is, because they didn’t had the updated trust anchor installed on their systems and/or didn’t switch to the new trust anchor dynamically. Therefore, they strictly adhered to the outdated trust anchor and showed an expiration warning.
Even though us switching zones to our DigiCert CA fixed this issue, we do strongly recommend to regularly update the locally installed certificate authorities in this case to prevent similar issues in the future. Most modern operating systems do this automatically.
We can change the CA via ticket or this can be done via API call as well:
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/[zone_id]/ssl/universal/settings" \
-H "X-Auth-Email: [email]" \
-H "X-Auth-Key: Global API Key" \
-H "Content-Type: application/json" \