Connectivity between database cluster nodes sounds like a bad use case for publicly trusted certificates. A private CA is going to be a much better solution there.
The reason for the change (from those notices) is:
This change is prompted by changes to Google Chrome’s root program requirements, which impose a June 2026 deadline to split TLS Client and Server Authentication into separate PKIs. Many uses of client authentication are better served by a private certificate authority, and so Let’s Encrypt is discontinuing support for TLS Client Authentication ahead of this deadline.
So you just let google dictate to you that there are no valid uses of client certificates at all, none, literally zero?
The same google that already enshittified email (by demanding ridiculously complicated "anti-spam" measures, that in reality don't work against spam at all, but only serve to make independent email servers difficult, and hence help their own monopoly), you let them enshittify PKI as well?
Well thank you very much.
(I am trying hard to remain polite. It is very difficult, because I am very angry).
And no, changing to self-signed certificates is not a quick solution. Whatever you do, certificate wise, has to be rolled out to the whole database cluster. The quickest way is to disable TLS. Now that increases security. Not.
a) nobody says that. It's just that certs with client auth need their own hierarchie, which is not something Let's Encrypt can offer, nor fits within the goals of LE.
b) Google can do whatever they want with the rules for their root program. If you don't abide, your root certs can (and probably will) be removed from their root store.
Nobody says that. We only say this has been announced quite a while back and there is no good reason why this suddenly would be a surprise.
And if you need a workaround until you have time to migrate to a private PKI (or a public PKI from some CA that's making a separate client root), you can use the "tlsclient" profile in a modern ACME client to get one more renewal in the meantime.
As an independent mail operator, I disagree. The email sender guidelines require SPF, DKIM, DMARC and TLS.
SPF and DMARC can be fulfilled by two TXT records, for example
@ TXT "v=spf1 a mx ~all"
_dmarc TXT "v=DMARC1;p=reject"
DKIM (email signing) does require software support however opendkim can be used as a filter to sign messages.
Overall, these provide an effective framework for rejecting unauthorized mail and provides accountability for sending mail.
Edit: Google are actually less restrictive than Microsoft and other mail operators as Google doesn't actually require rDNS if SPF passes or check against the policy block list (a list of IP addresses covering residential ISPs).