Upcoming 2024 changes in chain of trust of Let's Encrypt certificates which will

[senthil]

Symptoms

After Thursday, February 8th, 2024, websites hosted on Plesk servers and secured by Let's Encrypt
certificates may show the warning ERR_CERT_AUTHORITY_INVALID on devices with outdated client
operating systems, like Android 7.0 or earlier.

Cause

Due to the planned 2024 changes in the chain of trust of Let's Encrypt certificates, starting from Thursday,
February 8th, 2024, Let's Encrypt by default will stop providing certificates with the root certificate that is
cross-signed by the DST Root CA X3 certificate - see the page Shortening the Let's Encrypt Chain of Trust
for details.

This is done because the cross-sign of the Let's Encrypt root certificate ISRG Root X1 by the DST Root CA X3
which was done for the backwards compatibility reasons will expire on Monday, September 30th, 2024.

Resolution

If supporting client devices with outdated operating systems, like Android 7.0 or earlier, is considered not
important for hosted websites/customers, then no actions should be made.

If supporting such client devices is important, then below actions are recommended:

• Recommend to website visitors with affected devices to start using web browsers which use their own
  certificate trust store, for example, Firefox Mobile.
• On the Plesk server, switch affected websites to using SSL certificates which are provided by other
  certificate authorities and are trusted by affected devices.