cloudflare · RebeccaTamachiro · Dec 4, 2024 · Dec 3, 2024 · Dec 3, 2024 · Dec 3, 2024
@@ -1008,6 +1008,7 @@
 /ssl/reference/certificate-validation-options/ /ssl/concepts/#validation-level 301
 /ssl/reference/cipher-suites/custom-certificates/ /ssl/edge-certificates/custom-certificates/#certificate-packs 301
 /ssl/reference/cipher-suites/matching-on-origin/ /ssl/origin-configuration/cipher-suites/#match-on-origin 301
+/ssl/reference/migration-guides/lets-encrypt-chain/ /ssl/reference/certificate-authorities/#lets-encrypt 301
 /ssl/reference/validation-backoff-schedule/ /ssl/edge-certificates/changing-dcv-method/validation-backoff-schedule/ 301
 /ssl/universal-ssl/changing-dcv-method/ /ssl/edge-certificates/changing-dcv-method/ 301
 /support/dns/how-to/certification-authority-authorization-caa-faq/ /ssl/edge-certificates/troubleshooting/caa-records/ 301

@@ -79,7 +79,7 @@ More details can be found on the [CAA records FAQ](/ssl/edge-certificates/troubl
 
 As Let's Encrypt - one of the [certificate authorities (CAs)](/ssl/reference/certificate-authorities/) used by Cloudflare - has announced changes in its [chain of trust](/ssl/concepts/#chain-of-trust), starting September 9, 2024, there may be issues with older devices trying to connect to your custom hostname certificate.
 
-Refer to the [full migration guide](/ssl/reference/migration-guides/lets-encrypt-chain/) for details and consider the following solutions:
+Consider the following solutions:
 
 - Use the [Edit Custom Hostname](/api/operations/custom-hostname-for-a-zone-edit-custom-hostname) endpoint to set the `certificate_authority` parameter to an empty string (`""`): this sets the custom hostname certificate to "default CA", leaving the choice up to Cloudflare. Cloudflare will always attempt to issue the certificate from a more compatible CA, such as [Google Trust Services](/ssl/reference/certificate-authorities/#google-trust-services), and will only fall back to using Let’s Encrypt if there is a [CAA record](/ssl/edge-certificates/caa-records/) in place that blocks Google from issuing a certificate.
 

@@ -36,7 +36,7 @@ As Let's Encrypt - one of the [certificate authorities (CAs)](/ssl/reference/cer
 If you are using a Let's Encrypt certificate uploaded by yourself as a custom certificate, consider the following:
 
 - If you use **compatible** or **modern** [bundle method](/ssl/edge-certificates/custom-certificates/bundling-methodologies/) and have uploaded your certificate before September 9, 2024, [update your custom certificate](/ssl/edge-certificates/custom-certificates/uploading/#update-an-existing-custom-certificate) so that it can be bundled with the new chain.
-- If you use **user-defined** bundle method, make sure that your certificates uploaded after September 30, 2024, do not use the Let's Encrypt cross-signed chain. For details, refer to the [full migration guide](/ssl/reference/migration-guides/lets-encrypt-chain/).
+- If you use **user-defined** bundle method, make sure that your certificates uploaded after September 30, 2024, do not use the Let's Encrypt cross-signed chain.
 
 ## Error codes
 

@@ -57,9 +57,9 @@ This section summarizes commonly requested client support information. For the c
 
 :::
 
-The main determining factor for whether a platform can validate Let’s Encrypt certificates is whether that platform trusts the self-signed “ISRG Root X1” certificate. As Let's Encrypt announced a change in its chain of trust for 2024, devices that only trust the cross-signed version of the “ISRG Root X1” certificate will be impacted. Refer to [Let's Encrypt chain update](/ssl/reference/migration-guides/lets-encrypt-chain/) for details.
+The main determining factor for whether a platform can validate Let's Encrypt certificates is whether that platform trusts the self-signed “ISRG Root X1” certificate. As Let's Encrypt announced a [change in its chain of trust in 2024](https://blog.cloudflare.com/shortening-lets-encrypt-change-of-trust-no-impact-to-cloudflare-customers/), older devices (for example Android 7.0 and earlier) that only trust the cross-signed version of the “ISRG Root X1” are no longer compatible.
 
-You can find the full list of supported clients in the [Let's Encrypt documentation](https://letsencrypt.org/docs/certificate-compatibility/). Older versions of Android and Java clients might not be compatible with Let’s Encrypt certificates.
+You can find the full list of supported clients in the [Let's Encrypt documentation](https://letsencrypt.org/docs/certificate-compatibility/). Older versions of Android and Java clients might not be compatible with Let's Encrypt certificates.
 
 #### Other resources
 
@@ -170,3 +170,4 @@ The following table lists the CAA record content for each CA:
 | Sectigo               | `sectigo.com`                            |
 | DigiCert              | `digicert.com; cansignhttpexchanges=yes` |
 
+[^1]: As the IdenTrust cross-sign (DST Root CA X3) expires on **September 30, 2024**, the self-signed ISRG Root X1 will be the only chain used for RSA certificates issued through Let's Encrypt. Refer to [Background](#background) or our [blog](https://blog.cloudflare.com/shortening-lets-encrypt-change-of-trust-no-impact-to-cloudflare-customers) for details.
@@ -18,7 +18,7 @@ Starting September 9, 2024, visitors that try to connect to your website using o
 
 ### Resolution
 
-The fastest way to resolve this issue is to change your certificate to use [Google Trust Services](/ssl/reference/certificate-authorities/#google-trust-services) as the certificate authority. Refer to the [migration guide](/ssl/reference/migration-guides/lets-encrypt-chain/#how-your-products-are-affected) to learn how to proceed with each certificate type.
+The fastest way to resolve this issue is to change your certificate to use [Google Trust Services](/ssl/reference/certificate-authorities/#google-trust-services) as the certificate authority.
 
 ## Outdated browsers