LE certs using new chain ahead of CF's announced May 15?

I have a client on CF and on March 30th when their CF-managed zone SSL cert renewed, it seems to have been given a new chain that then wasn’t trusted by one of their older systems.

I’m aware of Let’s Encrypt announcements & changes but Cloudflare’s docs say the change was going to happen May 15th and on: Let's Encrypt chain update · Cloudflare SSL/TLS docs

I understood it as only renewals after May 15th are affected. Are the docs wrong and it means that any new certs that expire after May 15th will be affected?

Also, is there any way to test these chains via CF to help verify any issues ahead of the deadline? A special subdomain per-zone would be cool.

I know I could test with certbot/LE myself but I think CF uses various heuristics for what chain to send to clients so that would also be nice to able to test all the possible chains with CF proxying ahead of the deadline without the additional effort.

LE has some testing links but it’s only for expired & revoked root certs, not the new chains. BadSSL doesn’t look to have an LE one either.


The email was to announce on the migration for Cloudflare users. If you are not using Let’s encrypt certificates, then no action is needed.

This change should impact older devices (e.g. Android 7.0 and earlier), for those who are using Let’s encrypt certificates.

Cloudflare will use the new chain from LE. If you are using Let’s Encrypt, and happy with the new chain that will be used by Cloudflare, then there is no action required from your end as well.

In the case that you are using Let’s Encrypt but are not happy with the migration, you need to either: make sure the clients are up-to-date, switch to another CA; or use Custom Certs (as mentioned in the blog).

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.