New Let's Encrypt Root Certificate¶
Since its conception, Let's Encrypt has been issuing certificates cross-signed by the IdenTrust certificate authority. The reason for that, is that every devices comes with a list of root certificates it deems trustworthy. So, cross-signing was the only way make Let's Encrypt certificates trusted by most existing devices. However, in the last couple of years, the Let's Encrypt root certificate has become widely accepted. Therefore, starting 11 January 2021, Let's Encrypt will issue certificates signed by their own root.
How will it affect my website that uses Let's Encrypt certificate?¶
What it means, is that Let's Encrypt certificates will not be considered trustworthy by older devices that do not have its root certificate. Most importantly, devices with Android 7.1.0 or older. Those make up one third of all Android devices.
How can I serve my website to older web clients?¶
Unfortunately, you cannot rely on customers to switch to a browser, that uses its own root certificate bundle, instead of the system one (such a as Firefox). So, the only long-term solutions are to either use commercial certificate instead of Let's Encrypt or accept that some customers will not be able to connect.