Please read/Upcoming change: Custom domains TLS certificates are getting new root certificates

Netlify uses a service called Let’s Encrypt to automatically provide the TLS/SSL certificate for your Netlify websites that use custom domains for free. We’re proud to be doing out part to make the web more secure by partnering with Let’s Encrypt.

Let’s Encrypt is planning to make a change to their “root certificates” - changing to one called “ISRG Root X1”, from the cross-signed “DST Root X3” that they have been using up to now.

:thinking: What will happen with the change?
In short, this change will cause certain browser clients (most notably Android prior to 7.1.1) not to be able to load your website as certificates issued with this new root certificate won’t be trusted by these clients.

:timer_clock: When does the change happen?
While this change will become the default for certificates from Let’s Encrypt on January 11, 2021, Netlify is extending their support for DST Root X3 until September 2021.

:computer: What do I need to do?
Since we’re extending our support of DST Root X3 for some time, no immediate action is required by anyone at the moment. However, this change will affect our customers starting September 2021, and this will impact a number of clients with older operating systems. We’re going to communicate more about this when the switchover date gets closer. Please make sure that you follow along with these updates to ensure your site remains accessible!

You can find more details in Let’s Encrypt’s blog post about this upcoming change:

If you have questions or concerns, please let us know in the comments!

7 Likes

according to the link in the above post, the issue has been solved and older android phones will still be supported by Let’s Encrypt.

Thanks @ShadowfaxRodeo for mentioning that, you’re correct and the TLS certificates will support older Android devices at least until early 2024, when the new cross-sign expires.

1 Like