Let's Encrypt certificate switch to cause problems in 2021

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,904
Let’s Encrypt has announced that a root certificate its service uses, that was provided by IdenTrust, is set to expire on September 1, 2021. Let’s Encrypt is ready for the expiration with its own root certificate called ISRG Root X1 and it’s supported on many devices, but there is a problem.

Unfortunately, due to Android’s dire update situation, millions of devices running Android versions below 7.1.1 will not be able to connect to websites using Let’s Encrypt certificates. Not only will this affect websites you navigate to in your web browser but apps that connect to a website to pull data won’t be able to connect either.

To help mitigate the problem, Let’s Encrypt is going to make it possible to serve an alternate certificate chain that leads to the old root certificate to boost compatibility. This will be a temporary solution for site admins who, in the longer term, will be able to display a banner asking older Android users to switch to Firefox Mobile (which updates certificates independent of Android), stop supporting older Android versions, drop back to HTTP for older devices, or switch to a Certificate Authority (CA) that’s installed on older devices.

Let’s Encrypt recommends that those on older Android devices should install Firefox Mobile. As mentioned earlier, Firefox comes with its own list of trusted root certificates; this will allow sites to continue working after the old root certificate expires next year.
 

SeriousHoax

Level 37
Verified
Mar 16, 2019
2,651
I use Firefox on Android so no worries for me
like a boss deal with it GIF by Os t.toys
 
F

ForgottenSeer 85179

I don't use a lot of apps on my smartphone, but hopefully the ones I use are not using Let's Encrypt... We will see after September 1 2021 if there is a problem or not.
What's your Android version?
Because in the news you post
devices running Android versions below 7.1.1 will not be able to connect to websites using Let’s Encrypt certificates
So if you don't use this old version, nothing get bad :)
 

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,904
From Ghacks:
Android 7.1.1 or earlier devices will face connection issues next year:
From September 1, 2021 forward, Android devices still running Android 7.1.1 or earlier will face connection issues for a large number of sites and services.

Sites and services that implement HTTPS need to use certificates for that. A popular choice is Let's Encrypt as it is offering free certificates. The service started five years ago and has since then become used widely on the Internet.

Let's Encrypt got a cross-signature from IdenTrust when it started to ensure that its certificates were trusted right away. With the partnership in place, Let's Encrypt managed to get on a lot of devices and systems in a short period of time.

The organization started to issue its own root certificate, called ISRG Root X1, and applied to have it integrated into the certification root stores of important software platforms. The original certificate is now trusted on major software platforms.

The cross-signature root certificate will expire on September 1, 2021. Expiration means that it cannot be used anymore. While that is not a problem for systems that have received the new root certificate of Let's Encrypt, it is a major problem for systems that ran out of support earlier.

On Android, that includes all devices running Android 7.1.1 or earlier. Let's Encrypt estimates that about a third of all Android devices are on that version or earlier versions of the operating system. Good news is that two-third of devices are up to date and will not face any connectivity issues. The remaining one third on the other hand will run into connectivity issues when they try to access sites that use a Let's Encrypt certificate. The number is lower right now already as Google has stopped publishing Android platform version distribution information in September 2020.

Fragmentation is a problem on Android, especially since many manufacturer's of Android devices provide only limited support in regards to updates.

The only solution, other than buying a new Android device that is using a newer version of the operating system, is to use a browser that uses its own certificate store. Let's Encrypt recommends Firefox for Android for that, as it is the only major browser that comes with its own certificate store. Firefox for Android requires Android 5 or higher currently.

Google did reveal recently that it plans to switch from using the operating system's root store to its own in the company's Chrome web browser to get more control over certificates and ensure that the experience is identical on all platforms in regards to security and accessing sites.

Whether Chrome for Android will start using its own root store before September 2021 arrives remains to be seen though.
 

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,904
Extending Android Device Compatibility for Let's Encrypt Certificates:
We’re happy to announce that we have developed a way for older Android devices to retain their ability to visit sites that use Let’s Encrypt certificates after our cross-signed intermediates expire. We are no longer planning any changes in January that may cause compatibility issues for Let’s Encrypt subscribers.

A recurring theme in our posts about our upcoming chain switch has been our concern over the effects on users of Android operating systems prior to 7.1.1, whose devices don’t trust our ISRG Root X1. Thanks to some innovative thinking from our community and our wonderful partners at IdenTrust, we now have a solution that allows us to maintain wide compatibility. Critical to our mission as a nonprofit is to help create a more secure and privacy-respecting Web for as many people as possible. This work brings us closer to that goal.

IdenTrust has agreed to issue a 3-year cross-sign for our ISRG Root X1 from their DST Root CA X3. The new cross-sign will be somewhat novel because it extends beyond the expiration of DST Root CA X3. This solution works because Android intentionally does not enforce the expiration dates of certificates used as trust anchors. ISRG and IdenTrust reached out to our auditors and root programs to review this plan and ensure there weren’t any compliance concerns.

As such, we will be able to provide subscribers with a chain which contains both ISRG Root X1 and DST Root CA X3, ensuring uninterrupted service to all users and avoiding the potential breakage we have been concerned about.

We will not be performing our previously-planned chain switch on January 11th, 2021. Instead, we will be switching to provide this new chain by default in late January or early February. The transition should have no impact on Let’s Encrypt subscribers, much like our switch to our R3 intermediate earlier this month.
 
Top