On January 11, 2021, Pantheon's certificate authority partner for Managed HTTPS, Let’s Encrypt, will start providing a certificate chain using their own root certificate by default. This change is only expected to cause compatibility issues with a very small percentage of traffic from very old clients, including Android devices older than 7.1.

To extend compatibility with older clients, Pantheon is manually overriding the default and will continue to serve the IdenTrust cross-signed intermediate until September 29, 2021, at which time Let's Encrypt's new intermediate will be served.

For customers who require support for Android devices older than 7.1 after September 29, 2021, this change will require action on your part to avoid any impact to your traffic, such as using Pantheon’s Custom Certificate, or terminating TLS outside of Pantheon.

For more information on the update from Let’s Encrypt please see their blog post: https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html
Posted on Nov 10, 15:22 PST