Welcome to the GoFuckYourself.com - Adult Webmaster Forum forums.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today!

If you have any problems with the registration process or your account login, please contact us.

Post New Thread Reply

Register GFY Rules Calendar
Go Back   GoFuckYourself.com - Adult Webmaster Forum > >
Discuss what's fucking going on, and which programs are best and worst. One-time "program" announcements from "established" webmasters are allowed.

 
Thread Tools
Old 03-20-2024, 01:09 AM   #1
Paul&John
Confirmed User
 
Paul&John's Avatar
 
Industry Role:
Join Date: Aug 2005
Location: YUROP
Posts: 8,614
Cloudflare: Upcoming Let's Encrypt certificate chain change

Hi!

Got this newsletter from Cloudflare, read it, but still don't know if anything needs to be done on my end, if I'm using them for their nameserver and letsencrypt SSL

Quote:
Hi,

We are reaching out to inform you about an upcoming change that will impact the device compatibility of Let’s Encrypt certificates issued after May 15th, 2024. We are reaching out to you because we identified that you are currently using Let’s Encrypt certificates through Universal SSL, Advanced Certificate Manager, Custom Certificates, or SSL for SaaS. We recommend that you familiarize yourself with the Let’s Encrypt change and make any necessary adjustments ahead of time.

Change Overview

Let’s Encrypt issues certificates through two chains: the ISRG Root X1 chain and the ISRG Root X1 chain cross-signed by IdenTrust’s DST Root CA X3. The cross-signed chain has allowed Let’s Encrypt certificates to become widely trusted, while the pure chain developed compatibility with various devices over the last 3 years, growing the number of Android devices trusting ISRG Root X1 from 66% to 93.9%.

Let’s Encrypt announced that the cross-signed chain is set to expire on September 30th, 2024. As a result, Cloudflare will stop issuing certificates from the cross-signed CA chain on May 15th, 2024.

Impact

The expiration of the cross-signed chain will primarily affect older devices (e.g. Android 7.0 and earlier) and systems that solely rely on the cross-signed chain and lack the ISRG Root X1 chain in their trust store. This change could result in certificate validation failures on these devices, potentially leading to warning messages or access problems for users visiting your website.

Impact to certificates issued through Universal SSL, Advanced Certificate Manager, or SSL for SaaS:

To prepare for the CA expiration, after May 15th, Cloudflare will no longer issue certificates from the cross-signed chain. Certificates issued before May 15th will continue to be served to clients with the cross-signed chain. Certificates issued on May 15th or after will use the ISRG Root X1 chain. Additionally, this change only impacts RSA certificates. It does not impact ECDSA certificates issued through Let’s Encrypt. ECDSA certificates will maintain the same level of compatibility that they have today.

Impact to certificates uploaded through Custom Certificates:

Certificates uploaded to Cloudflare are bundled with the certificate chain that Cloudflare finds to be the most compatible and efficient. After May 15th, 2024, all Let’s Encrypt certificates uploaded to Cloudflare will be bundled with the ISRG Root X1 chain, instead of the cross-signed chain. Certificates uploaded before May 15th will continue to use the cross-signed chain until that certificate is renewed.

Important Dates

May 15th, 2024: Cloudflare will stop issuing certificates from the cross-signed CA chain. In addition, Let’s Encrypt Custom Certificates uploaded after this date will be bundled with the ISRG X1 chain instead of the cross-signed chain.


September 30th, 2024: The cross-signed CA chain will expire.

Recommendations:

To reduce the impact of this change, we recommend taking the following steps:

Change CAs: If your customers are making requests to your application from legacy devices and you expect that this change will impact them, then we recommend using a different certificate authority or uploading a certificate from the CA of your choice.

Monitoring: Once the change is rolled out, we recommend monitoring your support channels for any inquiries related to certificate warnings or access problems.

Update Trust Store: If you control the clients that are connecting to your application, we recommend upgrading the trust store to include the ISRG Root X1 chain to prevent impact.

If you have any questions, we recommend that you refer to our Developer Documentation or blog post regarding this change. If you are an Enterprise customer and have additional questions or concerns, please reach out to your Account Team.
Thanks
__________________
Use coupon 'pauljohn' for a $1 discount at already super cheap NameSilo!
Anal Webcams | Kinky Trans Cams Live | Hotwife XXX Tube | Get your Proxies here
Paul&John is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 03-20-2024, 02:27 AM   #2
k0nr4d
Confirmed User
 
k0nr4d's Avatar
 
Industry Role:
Join Date: Aug 2006
Location: Poland
Posts: 9,229
Quote:
Originally Posted by Paul&John View Post
Hi!

Got this newsletter from Cloudflare, read it, but still don't know if anything needs to be done on my end, if I'm using them for their nameserver and letsencrypt SSL



Thanks
It basically states that your site will break on older devices for all new SSL certificates issued after May 15th. Any certificate issued before that will work until it expires (letsencrypt certificates are for 3 months). The only thing you can do to fix it is use a different SSL provider then cloudflare/letsencrypt which still uses the old chain.

If your site provides an API for others to use (IE you run a cam site with an online models feed, or some kind of tube with a feed for aggregator sites), it might break for those users trying to access it via old linux distributions like Centos 6 or something.

In practice, this will probably not have any profound effect on most people's business or traffic.
k0nr4d is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 03-20-2024, 05:23 AM   #3
Paul&John
Confirmed User
 
Paul&John's Avatar
 
Industry Role:
Join Date: Aug 2005
Location: YUROP
Posts: 8,614
Awesome, so all good. Thanks for the explanation
__________________
Use coupon 'pauljohn' for a $1 discount at already super cheap NameSilo!
Anal Webcams | Kinky Trans Cams Live | Hotwife XXX Tube | Get your Proxies here
Paul&John is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Post New Thread Reply
Go Back   GoFuckYourself.com - Adult Webmaster Forum > >

Bookmarks

Tags
chain, certificates, cross-signed, change, encrypt, let’s, certificate, impact, root, isrg, 15th, cloudflare, recommend, issued, devices, ssl, uploaded, bundled, store, custom, trust, compatibility, ecdsa, questions, application



Advertising inquiries - marketing at gfy dot com

Contact Admin - Advertise - GFY Rules - Top

©2000-, AI Media Network Inc



Powered by vBulletin
Copyright © 2000- Jelsoft Enterprises Limited.