We relied on this cross signed certificate to use with old tablets that don't have upgrade. Can Let's Encrypt issue new cross signed certificate or do We need to retire a few hundred tablets?
Let's Encrypt will not be getting another cross-sign. You can either figure out how to add Let's Encrypt's roots to the devices you're using, or use some other CA that has a root still in their trust store. (There are a few that are also free and use ACME, so you just need to point your ACME client at a different endpoint.) Or, if this is just an internal-use application, maybe use your own internal CA if you can get its root onto the devices. No publicly-trusted roots last forever, though. And you should be aware that if your devices aren't getting security updates, then even if they're communicating over HTTPS you shouldn't really consider the connection "secured".
This expiry should NOT have come as a surprise. It has been announced way back in API Announcements - Let's Encrypt Community Support. I suggest to "watch" this category using the bell icon in the top right.
Besides that I agree with everything Peter said above.
I am not sure how being or not being surprise has any relevance to the issue. I would personally assume there will be another cross-signed root, but even my assumption is irrelevant.
To the question asked. I am certain 99% of LE users has no idea you are dropping legacy support.
I beg to differ. Since 2024-06-07 Let's Encrypts ACME server did not serve any chain which included the now-expired ISRG Root X1 cross-signed by DST Root CA X3 intermediate certificate.
This date was explicitely chosen to be at least one lifetime of Let's Encrypt certificates, which is 90 days, before the cross-signed intermediates expiry. Thus anybody relying on the DST Root CA X3 should have gotten at least one certificate renewal with a chain which was not cross-signed by DST Root CA X3 before the actual expiry date of this cross-signed intermediate. Unless one would manually change the chain to include this cross-signed intermediate, but then one would assume that person actually knows what they're doing and would know about the upcoming expiration.
This. If software can't be updated, it will eventually become incompatible with the rest of the world (not just with Let's Encrypt certificates).
We won't be issuing a new cross-sign. I'm sorry for the inconvenience this has caused you. We understand that some older Android devices are affected, but they represent a relatively small fraction of currently in-use devices, so we have to choose where to spend our resources carefully, and there is significant staff time, compliance overhead and cost to obtain cross-signs which is no longer an appropriate use of our resources.
Some suggestions:
- Other CAs may offer certificates trusted by your device.
- If these run a custom application, you may be able to add the Let's Encrypt root to your application.
- If these devices are running a webpage only, some other browsers like Firefox for Android might work.
- You may be able to add the Let's Encrypt root CA to your devices.
I cannot provide more specific advice, but if you have any questions, we can try to answer them.