Should we move certificate transition page to different CA?

Not cross-sign, but just a leaf cert for transition.letsencrypt.org
if we left it as is user who will need this be able to see page will just see certificate error. I think we should host some transition page. While chrome's own root store will make certificate download error-free, it's just 2 mouths left, so I don't expect chromium will move to own root store in time.

1 Like

I'm not sure what transistion you are looking to be conveyed on that page, can you please elaborate?

We have a blog post about our upcoming root transistion:


And corresponding information in the API announcements:

If this is a transistion to new intermediates, we have this blog post


with more information about the certificates here:
1 Like

But as those page use LE cert, thoses who visit after root change will just see cert error

1 Like

Sounds like a classic catch-22.

You would know why you're seeing an error on this page now if you had read this page before the error was shown.

Put another way:
You need to read the unreadable page to know why it's unreadable.

2 Likes

Which browsers do you believe won't be able to reach the page? ISRG Root X1 is in all the major browsers. It's not in Windows 10 20H1, from what I can tell, but that's very different from suggesting everyone visiting the site will receive a certificate error when it goes live.

1 Like

Any android before 7.1.1

1 Like

The problem exists if there will be a significant quantity of people who will be affected. I don't think the disenfranchised will be too concerned about the general experience. :slightly_smiling_face:

2 Likes