Upcoming Let's Encrypt certificate chain change

[LawsHosting]

It might be a stupid question

Let’s Encrypt announced that the cross-signed chain is set to expire on September 30th, 2024. As a result, Cloudflare will stop issuing certificates from the cross-signed CA chain on May 15th, 2024.

What is happening here? Is this just for developers, and/or old devices?

I use LE & Cloudflare for DNS and some (personal) sites via their proxy.....

Sorry if this has been asked before seeing the announcement was around July last year.

 

[ASUS]

I want to know this too, because I just got a email from cloudflare and they telling same thing, so I'm worry about my server...

 

[lemonmint]

So no one knows yet whether it will have any impact on us ordinary users!?

 

[pepsi]

I don’t know if I understand it wrong, but are they saying that all their customers will have to purchase SSL certification by themselves from that date? At that time, the old authentication method will no longer be usable because of PROXY.

 

[Richard G]

As far as I understand, most will keep working and only old devices could get issues like Android 7.

The expiration of the cross-signed chain will primarily affect older devices (e.g. Android 7.0 and earlier) and systems that solely rely on the cross-signed chain and lack the ISRG Root X1 chain in their trust store. This change could result in certificate validation failures on these devices, potentially leading to warning messages or access problems for users visiting your website.

And this is also very important:

Additionally, this change only impacts RSA certificates. It does not impact ECDSA certificates issued through Let’s Encrypt. ECDSA certificates will maintain the same level of compatibility that they have today.

So the normal ISRG X1 chain will keep existing, only the cross-signed ISRG X1 chain will not. But as you can see, the modern ECDSA doesn't require this.

I don't know how this will affect older printers which send mail like older HP printers which still use RSA/DSA certificates intead of ECDSA.

In Directadmin, as far as I'm aware of, the default is already to use ECDSA. However, the hostname often -also- (so next to the ECDSA) has the RSA/DSA certificate. If I'm correct, that one might expire. Again, not 100% sure if that is what it means.

So as far as I could read from the article, we don't need to worry. However, I don't know about proxy's and if they support ECDSA but if they do, you don't have to worry either.

 

[pepsi]

As far as I understand, most will keep working and only old devices could get issues like Android 7.


And this is also very important:


So the normal ISRG X1 chain will keep existing, only the cross-signed ISRG X1 chain will not. But as you can see, the modern ECDSA doesn't require this.

I don't know how this will affect older printers which send mail like older HP printers which still use RSA/DSA certificates intead of ECDSA.

In Directadmin, as far as I'm aware of, the default is already to use ECDSA. However, the hostname often -also- (so next to the ECDSA) has the RSA/DSA certificate. If I'm correct, that one might expire. Again, not 100% sure if that is what it means.

So as far as I could read from the article, we don't need to worry. However, I don't know about proxy's and if they support ECDSA but if they do, you don't have to worry either.

Thank you for your help.

 

[zEitEr]

Run and see:

grep -Eoi 'Android [4,5,6,7]' /var/log/httpd/domains/*.log --exclude=*.error.log

how many visits you have from Android 4-7. Sites where a certificate issued by Letsencrypt is used might become inaccessible over HTTPS for those devices. This is true unless you "protect" sites by proxying all their traffic over CloudFlare. This is how I understood the situation. Correct me if I am wrong.

 

[Richard G]

This is true unless you "protect" sites by proxying all their traffic over CloudFlare.

But isn't this just the support which Cloudflare is stopping then?

As a result, Cloudflare will stop issuing certificates from the cross-signed CA chain on May 15th, 2024.

So wouldn't the proxy miss the ssl also?

I could really be wrong whith this too as I don't understand proxying anyway. So I'm just asking.

 

[zEitEr]

But isn't this just the support which Cloudflare is stopping then?

Does CloudFlare still provide certificates issued by LetsEncrypt? I don't use it for production, and my testing site is covered by a certificate from Google Trust Services LLC.

I could really be wrong whith this too as I don't understand proxying anyway. So I'm just asking.

CloudFlare can be used in two modes: direct (DNS only) and proxy (when all traffic goes through CloudFlare).

By the way, not very funny moment is here, that CloudFlare can provide a MITM attack to your sites. It already does, and who knows what they do with all those data they read.

The changes with LetsEncrypt do not effect sites which use CloudFlare in a proxy mode. Other sites might become inaccessible over HTTPS for Android 4-7. Actually Android 4 is old enough and requires TLS 1.0 (which I would expect to be disabled on DA servers).

My suggestion was check how much traffic you still have from those devices, and decide whether or not you need to take actions on the matter.

 

[Richard G]

Does CloudFlare still provide certificates issued by LetsEncrypt?

If I'm correct yes they do, they only announced stopping with the cross-signed CA certificates, so those which support the older devices if I understood correctly.

Other sites might become inaccessible over HTTPS for Android

Ah oke, then I misunderstood the meaning of that cross-site stuff. Thank you for explaining!