I had an email from Cloudflare suggesting the upcoming certificate chain change will affect me.
All my certs renewals are done using various different platforms (OS) using acme.sh client.
All current live issued certs show ISRG Root X1 - R3 - domain name. on the cert.
Will the change affect older operating systems that are running the acme.sh client for renewal ? Or does it only affect older operating systems that go to the site/server that is using the certificate ?
How can I check im not using the cross signed chain that is set to expire (cloudflare will stop issuing) we use cloudflare over DNS to renew.
All acme.sh renewal clients are running latest version of acme.sh.
The email you got from Cloudflare is for certificates they manage for you.
For certificates managed yourself via acme.sh, please see our announcement at Shortening the Let's Encrypt Chain of Trust - Let's Encrypt
The change doesn’t affect the system which is running the client, but affects devices connecting to your website. The primary impact is old Android devices, before version 7.1.1
6 Likes
An easier description of this situation might be the following:
Unless you have specifically and purposefully configured Cloudflare or your ACME clients to use the expiring "long chain" for compatibility with legacy platforms and devices, you will be essentially unaffected by this and have nothing to do.
If you are specifically and purposefully using the "long chain" for compatibility, Cloudflare is ending support on May 15th and you will need to migrate.
If you do not understand what I am saying above, the first scenario almost certainly applies and you have no actions to take.
4 Likes
Thankyou for your reply ! As far as im aware we are only using cloudflare for DNS via the acme.sh client nothing directly from them ... So we use cloudflares API via acme.sh is it a blanket email to make cloudflare users aware ? Is there a way via CLI to see if any of my certs are providing long chain ? All certs are live and most have been renewed within the last month (i would expect if i had any issues this would be present right now ?)
1 Like
Correct, it's just a blanket email to potentially affected Cloudflare users.
As @jvanasco said, since you're not sure which of your certs are providing the long chain or the short chain, I can virtually guarantee that you are unaffected by this change and don't need to do or worry about anything as a result.
3 Likes
If you do want to find out, there is a nice post from a couple of years ago by @griffin which mentions a way to check, as well as describing the general context.
The official explanation from Let's Encrypt is here:
As @aarongable says, if you didn't know this was a thing before, it's not likely that the change will affect you.
Here is Cloudflare's official discussion of the change:
The main potential impact they highlight is that about 3% of Android devices on the Internet may no longer be able to access sites that use Let's Encrypt certificates, unless the owners of those devices individually take additional steps (or replace them with newer devices!).
4 Likes
Thankyou for your reply !Would you know how would I go about checking im NOT doing the below :
If you are an ACME client author , please make sure that your client correctly downloads and installs the certificate chain provided by our API during every certificate issuance, including renewals. Failure modes we have seen in the past include a) never downloading the chain at all and only serving the end-entity certificate; b) never downloading the chain and instead serving a hard-coded chain; and c) only downloading the chain at first issuance and not re-downloading during renewals. Please ensure that your client does not fall into any of these buckets.
1 Like
I think you would know if this was the case. You would be the developer of one of the pieces of software listed at
If you are not the developer of one of these pieces of software, the paragraph you mentioned isn't directed at you.
6 Likes
Thankyou very much that is most helpfull ! The email from cloudflare would have been more usefull to say - "If you have very outdated mobile/computer clients they need to be updated or will cease to connect to the modern certificate ! "This all appears to be CLIENT based not server based am i correct in that ?
1 Like
The people getting errors are users/clients connecting to (web)servers, but the persons who might need to take action to prevent that are server administrators.
6 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.