Hi, 

After September 9th, all Let’s Encrypt certificates issued through Cloudflare will start using the ISRG Root X1 chain resulting in a reduction of device compatibility. This will mainly impact connections from old Android devices (version 7.1.1 and earlier). To prevent this impact, we recommend re-issuingyour advanced certificates with a different CA, such as Google Trust Services. 

Impacted Domains & Next Steps 

To maintain the current level of device compatibility across all of your domains, we recommend re-issuing all advanced certificates currently using Let’s Encrypt as their certificate authority (CA) to use Google Trust Services instead. You can do this by clicking “Order Advanced Certificates” in the Edge Certificates tab in the Cloudflare dashboard and selecting Google Trust Services as your CA, or by making a POST request to the Advanced Certificates API endpoint with “google” in the certificate_authority parameter. 

Domains with Let's Encrypt certificates*:
bitestream.co, bite.dev
*displaying up to 100 domains

Total TLS 

If you are currently using Total TLS with Let’s Encrypt as the CA, we advise you to continue using Let’s Encrypt for now. Currently, switching Total TLS CAs requires disabling and re-enabling the feature, which results in the cleanup of existing TLS certificates before new ones are issued by the new CA. We are working on enabling a seamless CA switch for Total TLS that will only clean up the certificates issued from the old CA once the certificates from the new CA are successfully deployed. This functionality will be available after August 14th. We will notify all Total TLS users once it becomes available. Until then, we recommend continuing with your current CA. 

Note: Total TLS is only available to customers using Cloudflare as their DNS provider. 

Important Dates

• September 9th, 2024: Cloudflare will rebundle all Let’s Encrypt certificates to use the ISRG Root X1 chain.
• September 30th, 2024: The cross-signed CA chain will expire.

We previously informed customers that all Advanced certificates issued through Let’s Encrypt would experience a reduction in device compatibility after May 15th, 2024 due to the upcoming expiration of Let’s Encrypt cross-signed certificate chain. We have and will continue to serve the cross-sign chain until September 9th, 2024 to give our customers more time to prepare. 

If you have any questions, we recommend that you refer to our Developer Documentation or blog post regarding this change. 

Thank you for being a Cloudflare customer!