You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Vercel uses Let's Encrypt as its certificate authority (CA) to auto-provision TLS certificates to enable secure connections by default. When using custom domains in your Vercel app, traffic between clients and Vercel Edge Network is encrypted and protected using the provisioned certificate.
As planned, on September 30th, 2024, the current Let’s Encrypt cross-sign DST Root CA X3 root certificate issued by IdenTrust will expire and no longer be available. Considering the small proportion of internet users with older devices today, Let's Encrypt has decided to officially sunset this cross-sign certificate chain. This change has been planned by Let's Encrypt over the past few years, under their mission of providing safe and secure communication to everyone who uses the Web. You can read more about this change in their blog post.
Schedule
Feb 8th, 2024: Vercel has stopped using the cross-signed chain. Any new certificates issued after this date, including renewed certificates, will use the shortened modern Let's Encrypt chain.
September 30th, 2024: The cross-signed certificate will expire.
Impact
After September 30th, 2024, clients must be able to trust the latest ISRG Root X1 root certificate from their trust store. Modern operating systems and browsers trust this certificate, and it should not cause any noticeable impacts on your users.
However, some older devices, such as Android 7.0 or earlier, may not be able to trust the new chain by default. These devices will be unable to access your websites and may see security warnings on the browser.
For older Android devices (Android 7.0 or earlier), we recommend installing and using Firefox Mobile, which uses its own trust store instead of the default Android OS trust store, and therefore trusts the new shortened chain with ISRG Root X1.
For other older devices, users may need to manually install the ISRG Root X1 certificate in their local trust store. You can review and download it from https://letsencrypt.org/certificates/
Additionally, Vercel offers the ability to upload custom certificates with the Enterprise plan. If you're on the Enterprise plan, you can upload custom certificates with different certificate CAs other than Let's Encrypt. If you're interested in learning more about our Enterprise plan, please contact us.
FAQ
Is my domain using the latest certificate chain?
You can check your certificate chain by online tools, such as:
If the result shows your chain has the ISRG Root X1 root certificate issued/cross-signed by DST Root CA X3, that means you're still using the legacy chain.
Additionally, you can also check this by the following openssl command.
If the command returns the Certificate chain section containing the ISRG Root X1 root certificate issued/cross-signed by DST Root CA X3, that means you're still using the legacy chain.
We're using self-hosted/third-party proxy in front of Vercel. Are we affected by this change?
If you're using self-hosted/third-party proxy in front of Vercel, such as Nginx, CDN, and WAF services, that means your users establish HTTPS connections with your proxy, not with Vercel directly. Therefore, the change should not impact your users using older devices, as long as you have certificates that are compatible with those older devices installed on your proxy.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Background
Vercel uses Let's Encrypt as its certificate authority (CA) to auto-provision TLS certificates to enable secure connections by default. When using custom domains in your Vercel app, traffic between clients and Vercel Edge Network is encrypted and protected using the provisioned certificate.
As planned, on September 30th, 2024, the current Let’s Encrypt cross-sign DST Root CA X3 root certificate issued by IdenTrust will expire and no longer be available. Considering the small proportion of internet users with older devices today, Let's Encrypt has decided to officially sunset this cross-sign certificate chain. This change has been planned by Let's Encrypt over the past few years, under their mission of providing safe and secure communication to everyone who uses the Web. You can read more about this change in their blog post.
Schedule
Impact
After September 30th, 2024, clients must be able to trust the latest ISRG Root X1 root certificate from their trust store. Modern operating systems and browsers trust this certificate, and it should not cause any noticeable impacts on your users.
However, some older devices, such as Android 7.0 or earlier, may not be able to trust the new chain by default. These devices will be unable to access your websites and may see security warnings on the browser.
You can simulate the behavior after September 30th, 2024 by visiting the following demo URL on older devices:
https://valid-isrgrootx1.letsencrypt.org
What you can do
Additionally, Vercel offers the ability to upload custom certificates with the Enterprise plan. If you're on the Enterprise plan, you can upload custom certificates with different certificate CAs other than Let's Encrypt. If you're interested in learning more about our Enterprise plan, please contact us.
FAQ
Is my domain using the latest certificate chain?
You can check your certificate chain by online tools, such as:
If the result shows your chain has the
ISRG Root X1
root certificate issued/cross-signed byDST Root CA X3
, that means you're still using the legacy chain.Additionally, you can also check this by the following openssl command.
If the command returns the Certificate chain section containing the
ISRG Root X1
root certificate issued/cross-signed byDST Root CA X3
, that means you're still using the legacy chain.Example (using legacy chain):
Example (using new chain):
We're using self-hosted/third-party proxy in front of Vercel. Are we affected by this change?
If you're using self-hosted/third-party proxy in front of Vercel, such as Nginx, CDN, and WAF services, that means your users establish HTTPS connections with your proxy, not with Vercel directly. Therefore, the change should not impact your users using older devices, as long as you have certificates that are compatible with those older devices installed on your proxy.
Resources
Beta Was this translation helpful? Give feedback.
All reactions