LetsEncrypt cross-signed CA chain expiry

1. The problem I’m having:

I recently read that LetsEncrypt will stop supporting cross-signed CA chain, which may cause compatibility issues with older devices after September 30th, 2024.

See:

This could potentially affect our Caddy hosted domains, and wondering if anything needs to be done to prevent potential issues?

2. Error messages and/or full log output:

N/A

3. Caddy version:

All

4. How I installed and ran Caddy:

We run on a set of VMs, but not applicable to my question.

a. System environment:

Linux

b. Command:

N/A

c. Service/unit/compose file:

N/A

d. My complete Caddy config:

N/A

5. Links to relevant resources:

1 Like

Best suggestion is to get all clients to modern clients that have the ISRG Root X1 and ISRG Root X2 self-signed root certificates in their trusts. :slight_smile:

3 Likes

It depends a fair bit on your own posture with respect to service level and client base.

Personally: I intend to do absolutely nothing about my setups. If anyone complains to me about it, I might help them figure out how to get their hands on a device newer than… checks notes 2016, I think, was Android 7?

But my approach isn’t necessarily appropriate to an organisation that needs to ensure a certain level of availability for old clients.

The recommendations on the Cloudflare docs you posted seem to be very reasonable. For the “Change certificate authority” suggestion, Caddy allows you to do this with tls { issuer <provider> }, see: tls (Caddyfile directive) — Caddy Documentation, or the global option acme_ca <url>, see: Global options (Caddyfile) — Caddy Documentation. The other recommendations are not related to Caddy itself.

3 Likes

From here Android version history - Wikipedia it looks like Android versions presently below version 12 are no longer being maintained; I read that to be a security risk.

1 Like

Also, before I retired, my employers would not let employees use older clients to connect to the organization’s resources. Thus there was not organizational need to ensure a certain level of availability for older clients. Is your situation different?

1 Like

Here is a ACME CA Comparison - Posh-ACME of Free (or can be) Certificate Authorities with ACME support.
The IETF-standardized ACME protocol, RFC 8555.

Since that comparison ZeroSSL acquired by HID

1 Like

We have a very broad public user base, so not quite sure if we need to actively do anything with Caddy either at this point.

Since it is a public widely used site, it is not practical for us to ask users to upgrade certificates, so that does leave us with potentially adjusting Caddy/LetsEncrypt settings as an option.

My take is that we should have older certificates cycled out based on LetsEncrypt themselves phasing the cross-signed certificates out, if i am understanding thing correctly (maybe I am not).

With that said, not sure we actively need to switch anything in Caddy itself, but suppose we could to be extra safe.

I doubt it will impact many users in the real world, but for sure will affect a subset of our users and ideally want to prevent issues for them.

Yeah, you don’t have to do anything. The certs will expire naturally and Caddy will renew with whatever chain is available afterwards.

2 Likes