Special Service Guide Update for July 28, 2021

As a correction to our previous announcement regarding expected changes in Let’s Encrypt TLS certificates and, due to changes the certification authority (CA) has decided to implement, Fastly has decided to adopt the solution suggested by Let's Encrypt regarding support for Android devices older than Android 7.1. This solution requires no action by you to avoid impacting your traffic. For customers using OpenSSL versions prior to 1.1, however, additional actions will be required by Let's Encrypt.

On May 4th, 2021, Let's Encrypt began issuing certificates with a trust chain that includes its ISRG Root X1 certificate cross-signed by IdenTrust's DST Root CA X3 certificate. On September 30th, 2021, the DST Root CA X3 certificate will expire. Most devices trust the ISRG Root X1 certificate directly and will be unaffected by this expiration. This certificate chain allows us to extend the compatibility for Android devices supporting versions prior to 7.1.1 for an additional three (3) years.

For customers who require support for Android devices older than Android 7.1 and who provide their own Let’s Encrypt certificates with our Platform TLS, Legacy Customer-Provided TLS Certificate Hosting Service, or Fastly TLS products, the change to Let's Encrypt's certificate chain will not require action on your part to avoid any impact on your traffic.

For customers using OpenSSL versions prior to 1.1, this certificate expiration will reject the Android-compatible chain, regardless of whether you have ISRG Root X1 in their trust store.

For more information on Let's Encrypt's certificate changes, their expiration, and actions you may need to take, refer to their posted details on the subject:

For general questions about this announcement, contact our customer support team at fastlytlsupdates@fastly.com.


Our documentation archive contains PDF snapshots of docs.fastly.com site content as of the above date. Previous updates can be found in the archive as well.