Cloudflare changes coming.

[Kyrunner 21]

Please see below. I just received this will this affect Emby and Nvida Shields. 

 

We are reaching out to inform you about an upcoming change that will impact the device compatibility of Let’s Encrypt certificates issued after May 15th, 2024. We are reaching out to you because we identified that you are currently using Let’s Encrypt certificates through Universal SSL, Advanced Certificate Manager, Custom Certificates, or SSL for SaaS. We recommend that you familiarize yourself with the Let’s Encrypt change and make any necessary adjustments ahead of time. 

 

Change Overview

Let’s Encrypt issues certificates through two chains: the ISRG Root X1 chain and the ISRG Root X1 chain cross-signed by IdenTrust’s DST Root CA X3. The cross-signed chain has allowed Let’s Encrypt certificates to become widely trusted, while the pure chain developed compatibility with various devices over the last 3 years, growing the number of Android devices trusting ISRG Root X1 from 66% to 93.9%. 

 

Let’s Encrypt announced that the cross-signed chain is set to expire on September 30th, 2024. As a result, Cloudflare will stop issuing certificates from the cross-signed CA chain on May 15th, 2024. 

 

Impact

The expiration of the cross-signed chain will primarily affect older devices (e.g. Android 7.0 and earlier) and systems that solely rely on the cross-signed chain and lack the ISRG Root X1 chain in their trust store. This change could result in certificate validation failures on these devices, potentially leading to warning messages or access problems for users visiting your website. 

 

Impact to certificates issued through Universal SSL, Advanced Certificate Manager, or SSL for SaaS: 

To prepare for the CA expiration, after May 15th, Cloudflare will no longer issue certificates from the cross-signed chain. Certificates issued before May 15th will continue to be served to clients with the cross-signed chain. Certificates issued on May 15th or after will use the ISRG Root X1 chain. Additionally, this change only impacts RSA certificates. It does not impact ECDSA certificates issued through Let’s Encrypt. ECDSA certificates will maintain the same level of compatibility that they have today.  

 

Impact to certificates uploaded through Custom Certificates: 

Certificates uploaded to Cloudflare are bundled with the certificate chain that Cloudflare finds to be the most compatible and efficient. After May 15th, 2024, all Let’s Encrypt certificates uploaded to Cloudflare will be bundled with the ISRG Root X1 chain, instead of the cross-signed chain. Certificates uploaded before May 15th will continue to use the cross-signed chain until that certificate is renewed. 

 

Important Dates

 

May 15th, 2024: Cloudflare will stop issuing certificates from the cross-signed CA chain. In addition,  Let’s Encrypt Custom Certificates uploaded after this date will be bundled with the ISRG X1 chain instead of the cross-signed chain. 

 

September 30th, 2024: The cross-signed CA chain will expire. 

 

Recommendations: 

To reduce the impact of this change, we recommend taking the following steps: 

1. Change CAs: If your customers are making requests to your application from legacy devices and you expect that this change will impact them, then we recommend using a different certificate authority or uploading a certificate from the CA of your choice. 

2. Monitoring: Once the change is rolled out, we recommend monitoring your support channels for any inquiries related to certificate warnings or access problems.  

3. Update Trust Store: If you control the clients that are connecting to your application, we recommend upgrading the trust store to include the ISRG Root X1 chain to prevent impact. 

If you have any questions, we recommend that you refer to our Developer Documentation or blog post regarding this change.  If you are an Enterprise customer and have additional questions or concerns, please reach out to your Account Team.

[Sammy 738]

@CarloHave you seen this?

[KegTapper 8]

Just read that email in my inbox. Tried to see what was being said in CF community but website wasn't loading at the moment

[darkassassin07 428]

While this is from Cloudflare, it's important to note this will effect all lets encrypt users; which is a significant portion of emby users I'd imagine. (at least those with ssl remote access)

 

Users will still receive lets encrypt certs, and the process to renew/acquire them won't change, but the number of clients that accept their certs will fall.

Https error reports will rise.

Thanks for sharing

[Q-Droid 653]

Let's Encrypt already started the transition.

https://letsencrypt.org/2023/07/10/cross-sign-expiration.html

The transition will roll out as follows:

• On Thursday, Feb 8th, 2024, we stopped providing the cross-sign by default in requests made to our /acme/certificate API endpoint. For most Subscribers, this means that your ACME client will configure a chain which terminates at ISRG Root X1, and your webserver will begin providing this shorter chain in all TLS handshakes. The longer chain, terminating at the soon-to-expire cross-sign, will still be available as an alternate chain which you can configure your client to request.

• On Thursday, June 6th, 2024, we will stop providing the longer cross-signed chain entirely. This is just over 90 days (the lifetime of one certificate) before the cross-sign expires, and we need to make sure subscribers have had at least one full issuance cycle to migrate off of the cross-signed chain.

• On Monday, September 30th, 2024, the cross-signed certificate will expire. This should be a non-event for most people, as any client breakages should have occurred over the preceding six months.

[crusher11 854]

So what does all of this actually mean?

[jaycedk 384]

My guess is that,  Android 7.0 and earlier and equal to that for any other client will be afflicted. 

Might be all out of date devices in general.

Devices = Server OS EOL and Clients EOL.

 

 

[Sammy 738]

1 hour ago, crusher11 said:

So what does all of this actually mean?

Exactly! What does it mean for me specifically?

[Q-Droid 653]

It means devices and software that can't trust the LE ISRG Root X1 cert will start complaining or fail entirely when connecting to HTTPS (TLS) URLs. 

 

[crusher11 854]

But what does that mean?

[Happy2Play 8296]

Exact what was posted.  No different then what happened in 2021.  Devices stop working do to expired root cert.  But most should have transitioned to ISRG Root X1 back in 2021.

[Q-Droid 653]

8 minutes ago, crusher11 said:

But what does that mean?

Probably nothing unless you have software or devices in the page section linked below.

https://letsencrypt.org/docs/certificate-compatibility/#platforms-that-trust-dst-root-ca-x3-but-not-isrg-root-x1

 

[Sammy 738]

I use namecheap for my domain name which uses cloudflare for dns. Pretty sure I'm not affected.

[darkassassin07 428]

If you use namecheaps certs, yeah, you shouldn't be affected.

Namecheap is mainly a registrar, you're not required to use their certs.

 

If you're not sure who your certificate authority is, You'll have to look at your cert and see who issued it to see if you'll be affected,

 

Connect to your server via browser, click the lock/info icon near the 'https://' portion of the address and view the certificate securing your connection.

 

Looking for something like:

[Sammy 738]

No Let's Encrypt so this isn't an issue for me.

[pwhodges 1532]

For nearly everyone, even using LetsEncrypt certificates won't be an issue. The standard LetsEncrypt certificate expiry period is 90 days; they will have transitioned to no longer issuing affected certificates considerably before that.  The only h/w or s/w affected will be old, because the root certificate for the new certificates has been in place for many years now.  This is basically a non-story.

Paul