Recent announcement from CLOUDFLARE regarding LET’S ENCRYPT certificates

BACKGROUND: Two days ago, I received a message from CLOUDFLARE in which I was asked to take action. It is in regard to a change with LET’S ENCRYPT certificates that should start as from May 15, 2024. In a nutshell, the change refers to the fact that from the aforementioned date CLOUDFLARE will stop issuing certificates from the cross-signed CA chain. As I understand, CLOUDFLARE will only issue certificates using the ISRG Root X1 chain.

I do not have the slightest idea of what all that actually means in lay terms. The LET’S ENCRYPT certificates linked to some of the domains I have at CLOUDFLARE have been created at my webhosting company and they renew them automatically every 90 days without any intervention at my end.

QUERY: Could you please advise what specific steps should I undertake at CLOUDFLARE to comply with forthcoming changes? Alternative, is my hosting company that should take action instead of myself at CLOUDFLARE?

If you’re using the automatically-issued certificates in a normal setup (ie, you haven’t uploaded your own certificates, or done anything unusual with your certificate setup) then you probably don’t need to do anything. The impact is that very old devices that haven’t had software updates in some years will no longer be able to connect to your site.

If, for example, you sell IoT devices and have an app that those devices connect to, and those devices work only with the old certificate chain, then you need to do something. If your audience for some reason is using Android 6, then you need to do something.

It doesn’t sound like any of this applies to you, so you don’t need to do anything.

1 Like

Thank you very much i40west. Just in case, I also sent a support query to the webhosting company together with the message received from CLOUDFLARE.

Having said that and as an aside, just today I realised that some webhosting companies (specifically NAMECHEAP) allow clients to upload LET’S ENCRYPT certificates by themselves. By doing so clients save the fees as NAMECHEAP does not offer FREE SSL certificates. However, clients must be aware of two issues:

(1) NAMECHEAP does not offer any support for the installation and maintenance of the LET’S ENCRYP certificates as they have no business partnership with them; and

(2) Clients need to renew their LET’S ENCRYP certificates manually every 90 days. This is so because NAMECHEAP doesn’t renew it automatically as my webhosting company does.

Therefore, I assume that in a case scenario like the one quoted above at NAMECHEAP, clients may need to take action if the domains involved are parked at CLOUFLARE.

Nope. Definitely not an applicable example. The Let’s Encrypt certificates in the scenario you described have to be obtained directly from Let’s Encrypt by the Namecheap user. You cannot access the secret key used by Cloudflare Universal SSL. Therefore they cannot be used anywhere else.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.