Upcoming change in Let's Encrypt Chain of Trust

[amyegan]

Background

Vercel uses Let's Encrypt as its certificate authority (CA) to auto-provision TLS certificates to enable secure connections by default. When using custom domains in your Vercel app, traffic between clients and Vercel Edge Network is encrypted and protected using the provisioned certificate.

As planned, on September 30th, 2024, the current Let’s Encrypt cross-sign DST Root CA X3 root certificate issued by IdenTrust will expire and no longer be available. Considering the small proportion of internet users with older devices today, Let's Encrypt has decided to officially sunset this cross-sign certificate chain. This change has been planned by Let's Encrypt over the past few years, under their mission of providing safe and secure communication to everyone who uses the Web. You can read more about this change in their blog post.

Schedule

• Feb 8th, 2024: Vercel has stopped using the cross-signed chain. Any new certificates issued after this date, including renewed certificates, will use the shortened modern Let's Encrypt chain.
• September 30th, 2024: The cross-signed certificate will expire.

Impact

After September 30th, 2024, clients must be able to trust the latest ISRG Root X1 root certificate from their trust store. Modern operating systems and browsers trust this certificate, and it should not cause any noticeable impacts on your users.

However, some older devices, such as Android 7.0 or earlier, may not be able to trust the new chain by default. These devices will be unable to access your websites and may see security warnings on the browser.

You can simulate the behavior after September 30th, 2024 by visiting the following demo URL on older devices:
https://valid-isrgrootx1.letsencrypt.org

What you can do

• For older Android devices (Android 7.0 or earlier), we recommend installing and using Firefox Mobile, which uses its own trust store instead of the default Android OS trust store, and therefore trusts the new shortened chain with ISRG Root X1.
• For other older devices, users may need to manually install the ISRG Root X1 certificate in their local trust store. You can review and download it from https://letsencrypt.org/certificates/

Additionally, Vercel offers the ability to upload custom certificates with the Enterprise plan. If you're on the Enterprise plan, you can upload custom certificates with different certificate CAs other than Let's Encrypt. If you're interested in learning more about our Enterprise plan, please contact us.

FAQ

Is my domain using the latest certificate chain?

You can check your certificate chain by online tools, such as:

• https://www.sslshopper.com/ssl-checker.html
• https://www.ssllabs.com/ssltest/index.html

If the result shows your chain has the ISRG Root X1 root certificate issued/cross-signed by DST Root CA X3, that means you're still using the legacy chain.

Additionally, you can also check this by the following openssl command.

$ openssl s_client -connect cname.vercel-dns.com:443 -servername ${your_vercel_domain_name} 2>&1

If the command returns the Certificate chain section containing the ISRG Root X1 root certificate issued/cross-signed by DST Root CA X3, that means you're still using the legacy chain.

Example (using legacy chain):

$ openssl s_client -connect cname.vercel-dns.com:443 -servername ${your_vercel_domain_name} 2>&1 | grep 'CN=ISRG Root X1' -A 3 -B 1
 1 s:C=US, O=Let's Encrypt, CN=R3
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   i:O=Digital Signature Trust Co., CN=DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT

Example (using new chain):

$ openssl s_client -connect cname.vercel-dns.com:443 -servername vercel.com 2>&1 | grep 'CN=ISRG Root X1' -A 3 -B 1
 1 s:C=US, O=Let's Encrypt, CN=R3
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
---

We're using self-hosted/third-party proxy in front of Vercel. Are we affected by this change?

If you're using self-hosted/third-party proxy in front of Vercel, such as Nginx, CDN, and WAF services, that means your users establish HTTPS connections with your proxy, not with Vercel directly. Therefore, the change should not impact your users using older devices, as long as you have certificates that are compatible with those older devices installed on your proxy.

Resources

• Shortening the Let's Encrypt Chain of Trust
• Android API Levels