A note to heavy users of Let’s Encrypt - change affecting Android users starting January 11, 2021

Hello to all large users of Let’s Encrypt!

In April 2019 we announced that we are transitioning to our own ISRG root. Now the time is near - we are transitioning to ISRG’s root on January 11, 2021!

This will affect different providers different amounts based on how many of your users and traffic are using Android versions prior to v7.1 (about 30% of Android users). If this is a significant amount of users and traffic for you, you may want to manually configure your servers to continue to use the cross-signature from IdenTrust in order to ensure compatibility with these Android users until September, 2021.

What does this change entail?

When Let’s Encrypt’s ACME service provides a new certificate to a subscriber (i.e., your company), it also provides a copy of the intermediate cert which issued the subscriber certificate. This intermediate is then provided by the subscriber to user-agents to make validation easier. Historically, Let’s Encrypt has provided an intermediate which chains up to a widely trusted IdenTrust root to ensure easy compatibility. Now that Let’s Encrypt’s own root certificate is also widely trusted, we intend to start providing an intermediate which chains up to our own root instead. For more details, see our post here:

Who does this change affect?

You, if your user base includes users on older versions of Android. About 30% of all Android users are using Android versions before v7.1, and they will not be able to verify the validity of a certificate provided by Let’s Encrypt via this new intermediate because their trust stores have not been updated to contain Let’s Encrypt’s root.

How can I mitigate this change?

You can manually configure your intermediate to the cross-sign by IdenTrust. We are currently working with several ACME client maintainers to make this change easier within the client.

This cross-signed intermediate will be valid until September 30, 2021 at the latest. More information here: Transition to ISRG's Root delayed until Jan 11 2021

What is a way individual end users can mitigate this change?

You can point your early Android users to the Firefox mobile browser: https://www.mozilla.org/en-US/firefox/mobile/

This mobile browser uses its own root store which trusts the ISRG root cert.

We also have an up-to-date Google calendar that contains all of our API changes: https://calendar.google.com/calendar/u/0/embed?src=letsencrypt.org_caqskun93lgiabjj4ba9cb1rek@group.calendar.google.com

Like all of our API changes, we will have continued communication about this change via our community forum - please follow the “API Announcements” category: https://community.letsencrypt.org/c/api-announcements/18

Best,

JP and the Let’s Encrypt Staff

PS- We are making our certificates smaller with a new ECDSA certificate option - making it easier for you as an integrator to use our certs and hopefully saving you money as bandwidth can be a meaningful cost every month! More info here: https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html

7 Likes