Total TLS and Google Trust

What is the name of the domain?

multiple

What is the error number?

no err

What is the issue you’re encountering

Switching from LetsEncrypt

What steps have you taken to resolve the issue?

I have 20 sites on CF. Looks like I have to purchase Advanced Certificate manager for each one ($10x20=$200 a month) in order to switch to Google Trust.

Is that the deal?

worth noting I do almost all my hosting on WP Engine

I got the idea I could just select Total TLS, pick Google Trust, and be done.

Total TLS is part of ACM, and issues a separate certificate for each subdomain of a site, rather than using a wildcard certificate.

Is there are particular reason you want to use GTS?

CF is recommending switching from LetsEncrypt. – Let’s Encrypt, a publicly trusted certificate authority (CA) that Cloudflare uses to issue TLS certificates, has been relying on two distinct certificate chains. One is cross-signed with IdenTrust, a globally trusted CA that has been around since 2000, and the other is Let’s Encrypt’s own root CA, ISRG Root X1. Since Let’s Encrypt launched, ISRG Root X1 has been steadily gaining its own device compatibility.

On September 30, 2024, Let’s Encrypt’s certificate chain cross-signed with IdenTrust will expire. After the cross-sign expires, servers will no longer be able to serve certificates signed by the cross-signed chain. Instead, all Let’s Encrypt certificates will use the ISRG Root X1 CA.

Most devices and browser versions released after 2016 will not experience any issues as a result of the change since the ISRG Root X1 will already be installed in those clients’ trust stores. That’s because these modern browsers and operating systems were built to be agile and flexible, with upgradeable trust stores that can be updated to include new certificate authorities.

The change in the certificate chain will impact legacy devices and systems, such as devices running Android version 7.1.1 (released in 2016) or older, as those exclusively rely on the cross-signed chain and lack the ISRG X1 root in their trust store. These clients will encounter TLS errors or warnings when accessing domains secured by a Let’s Encrypt certificate. We took a look at the data ourselves and found that, of all Android requests, 2.96%

CF email says easy to select Total TLS and then GTS and boom, you are done. For me it looks like 20 minutes per site and $250/month to cover 2016 Androids. I am single person consultant and that bites a bit.

Technically I wonder if a certificate for most of my sites is even necessary given Cloudflare.

Cloudflare stopped issuing LE certificates from June where Cloudflare determines the CA (so Universal SSL), see…

You should not have any LE certificates that expire after 30 September.

So what do I replace them with? I have 10 or 15.
Does Universal SS cover me? – Your plan includes a shared Cloudflare Universal SSL certificate. Will WPEngine recognize that?

Check that you are using WPEngine with O2O so requests are passing through your account by using their CNAME and not their IP addresses as here…

(If you don’t do this, your certificate selection may be controlled by WPEngine).

Then your Universal SSL should not have any LE certificates after 30 September.

I was not aware of O2O but yes, I use proxied CNAMEs for most and will switch others. Thanks for advice