Or, is this possible from the Let's Encrypt announcement in July 2023:
If you use Android 7.0 or earlier , you may need to take action to ensure you can still access websites secured by Let’s Encrypt certificates. We recommend installing and using Firefox Mobile, which uses its own trust store instead of the Android OS trust store, and therefore trusts ISRG Root X1.
Let's Encrypt has around 300 million active certs (stats page). People on older Android are likely to have problems with many sites. It is unlikely all site operators will be switching CA's so using Firefox Mobile seems the broadest solution for these older devices.
Actually my problem is not related to general web browsing. I have an app that connects to a server over a REST API, and the server is secured using LE certificates. I am evaluating my options to keep the app compatible with Android 7 and older, which is what originated my post.
Btw I had a look at the stats page. I guess that the fact that the number of active FQDNs is higher that the number of active certs is due to certs supporting multiple domain names via SAN fields? And I assume that the number of "registered domains active" as opposed to FQDNs refers to "main" domains only (not including subdomains). Is this right?
Registered domains are domains as defined by the public suffix list.
I assume that the important bit to differentiate between "registered domains active" and "FQDNs active" is that the latter includes subdomains but the former doesn't.
I am getting a bit outside my lane but if your app only connects to your own server can you supply the CA certs used for validation in your app? Sort of like Firefox does it?
I am getting a bit outside my lane but if your app only connects to your own server can you supply the CA certs used for validation in your app? Sort of like Firefox does it?
Yes, that's correct -- this is actually one of the things we plan to do. But that will only work for users that update their app. I am additionally evaluating what can we do to keep things working for users that don't update their app (which is far more common that one would wish).