Upcoming change in Let's Encrypt Chain of Trust

Important: This change does not impact customers currently using custom certificates issued by commercial CAs and using them on Vercel via the [custom certificate](https://vercel.com/docs/projects/domains/custom-SSL-certificate) feature.

Vercel uses Let's Encrypt as its certificate authority (CA) to auto-provision TLS certificates to enable secure connections by default. When using custom domains in your Vercel app, traffic between clients and Vercel Edge Network is encrypted and protected using the auto-provisioned Let's Encrypt certificate.

As planned, on September 30th, 2024, the current Let’s Encrypt cross-sign DST Root CA X3 root certificate issued by IdenTrust will expire and no longer be available. Considering the small proportion of internet users with older devices today, Let's Encrypt has decided to officially sunset this cross-sign certificate chain. This change has been planned by Let's Encrypt over the past few years, under their mission of providing safe and secure communication to everyone who uses the Web. You can read more about this change in their blog post.

After September 30th, 2024, clients accessing your websites hosted on Vercel must be able to trust the latest ISRG Root X1 root certificate from their local trust store. Modern operating systems and browsers trust this certificate, and it should not cause any noticeable impacts on your users. However, some older devices, such as Android 7.0 or earlier, may be unable to trust the new chain by default.

You can check more details about this change and review remedy options in our public announcement on the GitHub community forum.