QuestionUpcoming 2024 changes in chain of trust of Let's Encrypt certificates which will affect opening websites hosted on Plesk servers on outdated devices
Symptoms
After
Thursday, February 8th, 2024, websites hosted on Plesk servers and secured by Let's Encrypt certificates may show the warning ERR_CERT_AUTHORITY_INVALID on devices with outdated client operating systems, like Android 7.0 or earlier.
Cause
Due to the planned 2024 changes in the chain of trust of Let's Encrypt certificates, starting from
Thursday, February 8th, 2024, Let's Encrypt by default will stop providing certificates with the root certificate that is cross-signed by the DST Root CA X3 certificate - see the page Shortening the Let's Encrypt Chain of Trust for details.
This is done because the cross-sign of the Let's Encrypt root certificate ISRG Root X1 by the DST Root CA X3 which was done for the backwards compatibility reasons will expire on
Monday, September 30th, 2024.
Resolution
If supporting client devices with outdated operating systems, like Android 7.0 or earlier, is considered not important for hosted websites/customers, then no actions should be made.
If supporting such client devices is important, then below actions are recommended:
- Recommend to website visitors with affected devices to start using web browsers which use their own certificate trust store, for example, Firefox Mobile.
- On the Plesk server, switch affected websites to using SSL certificates which are provided by other certificate authorities and are trusted by affected devices.