Help needed for Action Required: Upcoming Let's Encrypt certificate chain change

Received this rather technical email. [Cloudflare - Action Required] Upcoming Let’s Encrypt certificate chain change

I’m not very proficient in Certificates, chains etc. I have a blog site with CF.

Searched Cloudflare Community. The only topic I found has a “solved” answer which links to another technical article.

Can someone take one minute to explain it in layman’s terms please?

Thank you very, very much for it in advance!

In short, some old devices may not be able to connect to your site (or any Cloudflare Universal SSL site with a LetsEncrypt edge certificate) without a warning about the certificate trust. Largely this seems to be Android related as the certificate chain can’t be updated separately from the OS. The number of such devices is a small proportion of active Android devices (~1.13% of requests from Android devices currently seen by Cloudflare would then fail).

It could also be an issue if you have a lot of old IoT devices, since they likely have hard-coded certificate chains.

If you want to ensure these users can reach your site, using the Advanced Certificate Manager will allow you to choose a Google certificate instead of LetsEncrypt.

Details here…

1 Like

Thanks sjr!

So, if I have a website, and if someone using Android 7 or earlier visits it, they will not be able to view my website? Am I correct in understanding that?

1 Like

If they are not using Firefox, then correct.

Likely they will find a lot of sites (around 20%) won’t work for them since this will affect any site using a LetsEncrypt certificate. (They will get a certificate warning so could skip that).


Wow, I just looked at analytics and a significant number of visitors to my site use Chrome based browsers (Chrome, Opera, Edge, etc etc but not Firefox) using Android 7 or earlier. So that should impact them, right?

And am I correct to understand that I will need to purchase Advanced Certificate Manager if I want to serve my website to those users (using Google certificate etc)?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.