Certificate working on Android SDK 30 but not on SDK 24

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mps.colourworker.com

I ran this command: sudo certbot certonly --dns-route53 -d mps.colourworker.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

An RSA certificate named mps.colourworker.com already exists. Do you want to
update its key type to ECDSA?

(U)pdate key type/(K)eep existing key type: K
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/mps.colourworker.com.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for mps.colourworker.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/mps.colourworker.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/mps.colourworker.com/privkey.pem
This certificate expires on 2024-07-30.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

If you like Certbot, please consider supporting our work by:

• Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
• Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

My web server is (include version): Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.4 LTS

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.10.0

I recently updated the certificate to mps.colourworker.com using certbot and at about the same time our app running on versions of Android around SDK 24 fails with "javax.net.ssl.SSLHandshakeException: Handshake failed". However the app running on SDK 30 works perfectly.

Kind regards,
Miguel

not really sdk version but those old andorid version are not have updated trust store: see Shortening the Let's Encrypt Chain of Trust - #7 by JamesLE

Yes, SDK API Level 24 corresponds to Android 7. Devices running SDK API Level 25.0.1 (Android 7.1.1) onward should be OK

If you need to support older Android versions you may to use an alternative CA with a root that's present in the trust store of your target devices. You will need to research which CAs satisfy that requirement.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.