Amazon App Store blocks web apps encrypted with LetsEncrypt


#1

Amazon is blocking web apps that use LetsEncrypt from their Amazon App Store. :face_with_raised_eyebrow:

Amazon builds and sells Android tablets. These tablets have a custom version of Android, where apps are installed via the Amazon App Store instead of the Google Play store.

To submit an app to the Amazon App Store, developers can either submit a web app or an Android app. I went to submit my web app, only to discover Amazon doesn’t allow me to submit it, saying,

“The SSL certificate used by your web app is invalid.”

Of course, it’s not invalid; it’s a valid LetsEncrypt cert.

Amazon’s answer is,

“So at the moment Let’s Encrypt is not supported / cannot be added to the list of Amazon supported certs regrettably. You’d need to use as mentioned earlier, DigiCert, Thawte, Entrust, or Verisign, etc. Thanks!”

This has been the answer for almost 2 years now.

I’m posting here to see if we can put some pressure on Amazon to support LE. If you want this to happen, please comment on this thread, retweet this, or go through more official means. It seems to me there’s no good reason for Amazon to not support LetsEncrypt.


#2

One of the Amazon responses in that thread indicates that their security team has actively refused to add LE roots:

There are two possible root causes for this scenario (the two root causes are unrelated to each other and may coexist):

(a) Amazon does not recognize “DST Root CA X3” as a valid root CA.

(b) Misconfigured service on the developer’s side (possibly intermediate trust chains incorrect configuration).

For reference, see this article about DST Root CA X3: https://letsencrypt.org/certificates/ A long term solution to prevent (a) from happening again is to permanently add “DST Root CA X3” to Amazon recognized certs as a valid root CA, however this request was denied by our security team.


#3

I think it’s good to contact Let’s Encrypt staff to seek help/advices in this matter.

@lestaff


#4

Perhaps Amazon has a deliberate policy decision not to allow free certs to be used this way (because of some experience with app-spam or with people cloning one another’s web apps or something?). If so, the Amazon people involved might feel that paying for a certificate is a moderately reliable signal that the app developer is “serious” or has invested some resources into the app’s development (although this isn’t necessarily the most reliable possible signal for this purpose).

I’d be glad to know if anybody from ISRG has previously asked Amazon about this issue.


#5

Do you work for EFF? Maybe you could put up one of those articles (complete with the ripped-off logo) to shame Amazon?


#6

Yeah, but I know – and this LE community knows! – that a LetsEncrypt cert doesn’t mean your app is trash. :slight_smile:

That’s the point of this thread - I want to change Amazon’s negative opinion about LetsEncrypt. Commenting on this thread or retweet this, or talk with the Amazon security team.