Certificate chain validation fails on OLDer android devices

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: in01.infobreez.net

I ran this command:
root@e2e-81-48:/etc/letsencrypt/archive/in01.infobreez.net# !ls
ls
cert1.pem cert2.pem chain1.pem chain2.pem fullchain1.pem fullchain2.pem privkey1.pem privkey2.pem
root@e2e-81-48:/etc/letsencrypt/archive/in01.infobreez.net# openssl x509 -in chain2.pem -text

It produced this output:
cert1.pem cert2.pem chain1.pem chain2.pem fullchain1.pem fullchain2.pem privkey1.pem privkey2.pem

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
91:2b:08:4a:cf:0c:18:a7:53:f6:d6:2e:25:a7:5f:5a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Validity
Not Before: Sep 4 00:00:00 2020 GMT
Not After : Sep 15 16:00:00 2025 GMT
Subject: C = US, O = Let's Encrypt, CN = R3
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)

My web server is (include version): nginx

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: VPS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

Issue:
My certificate was renewed on Mar 15 12:17 (yerterday). After this some of the devices running older versions of android is not able to connect to server using SSL.

The error shown is "java.security.cert.CertPathValidatorException: Trust anchor for certification path not found".

I have this topic which could be related. Let's Encrypt's Root Certificate is expiring!

1. But why did this happen now?
2. How to solve this problem in a backward compatible way. (it is not possible to update the device OS to later versions)?

Please advice.

Please see this announcement: Shortening the Let's Encrypt Chain of Trust - Let's Encrypt

What is the recommended way to get OLD devices to work? OS Upgrade is not possible. Does installing the new chain.pem file as user certificate solve the issue for affected devices?

You can request the old longer chain with that version of Certbot adding this option to your cert request command: --preferred-chain "DST Root CA X3"

But, this is only temporary as that longer chain will no longer be available starting Jun6 2024 as noted in the blog linked earlier.

Longer term you have several options. One recommended in that blog is to use Firefox instead of Chrome. Firefox works with the shorter chain.

You could also look to use a different Certificate Authority but you need to check the needed compatibility.

See this thread for similar discussion

Yes, installing ISRG Root X1 in the devices' trust store will allow them to continue working. We don't generally recommend this approach because a) it is temporary (in 10 years they'll need to do the same thing again), and b) most site operators don't have that level of control over the devices which contact their site.

But if you have control over the old android devices, then yes, adding ISRG Root X1 (and ISRG Root X2, preferably) to their trust store will work.

Then your best move is to buy new devices, as these old OS' are full with vulnerabilities, some of which are remotely executable. Unless explicitely patched by the devices vendor.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.