Currently some of my sites have Let’s Encrypt certificates, but as the DST Root CA X3 expired in September 2021, some of my users have a problem. Indeed a lot of users can’t validate correctly these outdated SSL certificates with their old devices. It is not an option for me to ask them individually to fix the problem on their side, it is absolutely necessary to fix it on my side (server side).
If I understand correctly there is a 25% chance to get the Let’s Encrypt certificate: https://developers.cloudflare.com/ssl/ssl-tls/certificate-authorities . Obviously I have no idea of the real percentage of “bad luck” to get this Let’s Encrypt certificate, but as Cloudflare proposes 4 different ones, my calculation is therefore trivial.
I would actually like to have all but the Let’s Encrypt certificate. And this without having to pay the “Advanced Certificate Manager” which costs 10$ per month. Especially since I have many sites in this situation. And also because I don’t think it’s fair to be forced to pay if you have just a bit of bad luck to receive the bad certificates (please don’t be offended).
I tried the option that consists in disabling the Universal SSL for about ten minutes and reactivating it, unfortunately cloudflare still keep delivering Let’s Encrypt certificates.
How can I solve my problem? I have already contacted Cloudflare’s support and they tell me that I should contact the community for help.
I know that the first possible workaround is obviously to deproxify my servers and use another CA of my choice, but I would like to be able to take advantage of Cloudflare’s main function (in my opinion) which is proxyfing.