Updates in the coming weeks about let's encrypt


I am a complete beginner, sorry in advance if I express myself poorly…

To date, I have a server on which I run different services. To manage the traffic, I use traefik to route the traffic to the correct service.

Between my server and the outside world, I use Cloudflare’s free service to enhance my security.

To be able to use secure connections, I use Let’s Encrypt in the following way:

  insecure: true
  dashboard: true

    address: :80
    address: :443

    exposedByDefault: false
    watch: true

      email: [email protected]
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      storage: acme.json
        entryPoint: http
      email: [email protected] 
      storage: acme.json
        entryPoint: http

  level: DEBUG

A few days ago, I received an email from Cloudflare stating the following:


We are reaching out to inform you about an upcoming change that will impact the device compatibility of Let’s Encrypt certificates issued after May 15th, 2024. We are reaching out to you because we identified that you are currently using Let’s Encrypt certificates through Universal SSL, Advanced Certificate Manager, Custom Certificates, or SSL for SaaS. We recommend that you familiarize yourself with the Let’s Encrypt change and make any necessary adjustments ahead of time.

Change Overview

Let’s Encrypt issues certificates through two chains: the ISRG Root X1 chain and the ISRG Root X1 chain cross-signed by IdenTrust’s DST Root CA X3. The cross-signed chain has allowed Let’s Encrypt certificates to become widely trusted, while the pure chain developed compatibility with various devices over the last 3 years, growing the number of Android devices trusting ISRG Root X1 from 66% to 93.9%.

Let’s Encrypt announced that the cross-signed chain is set to expire on September 30th, 2024. As a result, Cloudflare will stop issuing certificates from the cross-signed CA chain on May 15th, 2024.


The expiration of the cross-signed chain will primarily affect older devices (e.g. Android 7.0 and earlier) and systems that solely rely on the cross-signed chain and lack the ISRG Root X1 chain in their trust store. This change could result in certificate validation failures on these devices, potentially leading to warning messages or access problems for users visiting your website.

Impact to certificates issued through Universal SSL, Advanced Certificate Manager, or SSL for SaaS:

To prepare for the CA expiration, after May 15th, Cloudflare will no longer issue certificates from the cross-signed chain. Certificates issued before May 15th will continue to be served to clients with the cross-signed chain. Certificates issued on May 15th or after will use the ISRG Root X1 chain. Additionally, this change only impacts RSA certificates. It does not impact ECDSA certificates issued through Let’s Encrypt. ECDSA certificates will maintain the same level of compatibility that they have today.

Impact to certificates uploaded through Custom Certificates:

Certificates uploaded to Cloudflare are bundled with the certificate chain that Cloudflare finds to be the most compatible and efficient. After May 15th, 2024, all Let’s Encrypt certificates uploaded to Cloudflare will be bundled with the ISRG Root X1 chain, instead of the cross-signed chain. Certificates uploaded before May 15th will continue to use the cross-signed chain until that certificate is renewed.

Important Dates

May 15th, 2024: Cloudflare will stop issuing certificates from the cross-signed CA chain. In addition, Let’s Encrypt Custom Certificates uploaded after this date will be bundled with the ISRG X1 chain instead of the cross-signed chain.

September 30th, 2024: The cross-signed CA chain will expire.


To reduce the impact of this change, we recommend taking the following steps:

1 Change CAs: If your customers are making requests to your application from legacy devices and you expect that this change will impact them, then we recommend using a different certificate authority or uploading a certificate from the CA of your choice.

2 Monitoring: Once the change is rolled out, we recommend monitoring your support channels for any inquiries related to certificate warnings or access problems.

3 Update Trust Store: If you control the clients that are connecting to your application, we recommend upgrading the trust store to include the ISRG Root X1 chain to prevent impact.

I don’t quite understand the change they plan to make, and I’m not sure if it will affect my operation or not. If so, what exactly should I do?

Thank you in advance for your help!

If your site is proxied, then your origin SSL certificate doesn’t matter if using LetsEncrypt as it will only see a client (Cloudflare’s servers) that trust the ISRG Root X1 chain. It’s only an issue if your Cloudflare edge certificate is from LetsEncrypt and you want to support old clients (largely Android 7 or earlier).

If that is an issue for your user base, you can change to the GTS edge certificate using Advanced Certificate Manager.

If your site is not proxied, then you will have the same issue with not supporting older Android clients connecting directly to your origin.

1 Like

thank you for your reply.
all my sites are proxied using Cloudflare. I’m using a free plan thus a Universal SSL. Is that ok then?
Indeed, my sites are not concerned by old Android 7… anyway.


This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.