Upcoming Let’s Encrypt certificate chain change and impact for Cloudflare customers

Let's Encrypt, a public certificate authority (CA), has been using two distinct certificate chains since its launch. One chain is cross-signed with IdenTrust, a globally trusted CA, and the other is Let’s Encrypt’s own root CA, ISRG Root X1. On September 30, 2024, Let’s Encrypt’s certificate chain cross-signed with IdenTrust will expire. To prepare for this change, on May 15, 2024, Cloudflare will stop issuing certificates from the cross-signed chain and will instead use Let’s Encrypt’s ISRG Root X1 chain for all future Let’s Encrypt certificates. This change may impact legacy devices and systems that exclusively rely on the cross-signed chain and lack the ISRG X1 root in their trust store, potentially causing TLS errors or warnings when accessing domains secured by a Let’s Encrypt certificate. Cloudflare recommends updating the trust store to include the ISRG Root X1 for those concerned about the change impacting clients.