Let’s Encrypt Chain of Trust shortening

As of September 2021 the DST Root CA X3 under which Let’s Encrypt (the free provisioning service used for webhosting services in most control panels including the widespread cPanel) has expired. Let’s Encrypt extended by 3 years it’s SSL Certificates validation recognition with a cross-signed CA modification put in place to ensure that older devices and browsers can still access websites without users being affected by a certificate error message.

The cross-signed CA chain will expire on 30 September 2023 and will not be extended by Let’s Encrypt. So here is how will users be impacted:

  • users with Android 7 or older will get an error message stating that the https website protected by the new Let’s Encrypt SSL Certificates is not trusted and the request was blocked.
  • users of IOS4 or older will hit the same wall, with an SSL error.
  • users of Windows 8.1 or older that did not update their system since 2016 will receive the same error.
  • some other non-updated operating systems including Linux and MacOS will give the same error on access.

Please take in consideration also that CloudFlare has announced that they will also stop issuing certificates from the cross-signed CA as of 15 May 2024. Here is their update on this.

What to do as an website user ?

As a workaround for most of the above of the above you can use one of the latest (newer then 2018) Mozilla Firefox’s browser that uses its one trust certificate store.

What to do as an webmaster ?

Not sure if you will see an 5-10% decrees in your daily traffic, but if it is then the recommendation is to buy a dedicated paid SSL certificate for example a Sectigo PositiveSSL certificate from SPEEDHUB.eu starting from 6.99 Euro for year for Domain Validation only. For OV or EV check our plans also for the best SSL certificate prices.

Here is Let’s encrypt news about this topic.