Today I received E-mail from Cloudflare warning me that later this year there will be change in how Let’s Encrypt certificates will be generated.
Let’s Encrypt announced that the cross-signed chain is set to expire on September 30th, 2024. As a result, Cloudflare will stop issuing certificates from the cross-signed CA chain on May 15th, 2024.
I do NOT understand enough to know how this might impact how I should be using Let’s Encrypt certificates on my pfSense Based Firewall (ACME/HAProxy) and whether there are any adjustment(s) I can make before this change comes into effect?
The email has a link to a LE blog post where they describe what’s happening:
In the starting days of LE, its root certificate, ISRG Root X1, was not yet trusted by the major OS vendors. Therefore, it had to be cross-signed by an already-trusted root, namely IdenTrust’s DST Root CA X3. Today, most devices recognize ISRG Root X1 as a trusted root CA so there is no longer a need for the cross-signing. LE will phase out issuance of certificates in the cross-signed chain by September.
This is only relevant to users of LE because if their clients use old OS versions, they may start to flag sites using LE as insecure. But there is not really anything you can do about that anyway.
Based on that post by LE which is actually good news for them. So for rest of us it won’t have any impact on how we generate the certs except for really old OS. You can manually install their new root certificate in cases like that.