We encountered "Connection is not private" err_cert_authority_invalid on android 6.0.1 (chrome) ,
the certificate is signed by ISRG Root X1.
I read on this thread
it say we should change the intermediate certificate to signed by DST Root CA 3.
However, DST Root CA 3 would be expiring soon in 30 Sep 2021?
And in this following article
it mentioned:
Platforms that trust ISRG Root X1, include
Android >= 7.1.1 (but Android >= 2.3.6 will work by default [due to our special cross-sign]
If that's the case, the ssl signed by ISRG Root X1 should work on Android 6.0.1?
Please advice if there is anything we need to check or any setting we need to do?
Yes, the default Let's Encrypt chain is Leaf > R3 > ISRG Root X1 > DST Root CA 3 (expiring), this is to enable support for old android versions which don't have the ISRG Root X1 in their trust store.
It sounds like you have specifically set your preferred chain to 'ISRG Root X1' which is not what you want if you wish to remain compatible with old Android versions.
If neither solution is appropriate you can look at switching to other ACME CAs (BuyPass Go, ZeroSSL etc)
This has to do with the specific behavior of Android in not enforcing validity dates for root certificates, unlike those for other kinds of certificates, which are enforced. As the article you linked to explains
This solution works because Android intentionally does not enforce the expiration dates of certificates used as trust anchors.
(Certificates used as trust anchors is, in this context, another way of referring to root certificates.)
There is no way to guarantee that the other chain will work for every device or every client after September 30, but it should still work for most Android clients for the reasons described in these articles.
For windows server, where i can change the ssl chain?
iam a complete idiot on this and our hosting provider does not provide much support for letsencrypt.
You are most likely using either win-acme or Certify The Web to request/renew your certificate. Both these apps will default to the correct certificate chain for Android compatibility, but you may have modified the default setting to prefer 'ISRG Root X1'.
To fix this, remove the setting specifying ISRG Root X1 as your default chain, then request your certificate again. The chain itself is stored initially in the PFX file that's built, then that PFX is stored in the windows certificate store, but from there the chain actually served by windows can vary (it can build an alternative chain that it thinks is more valid).
An alternative work-around is to switch to a different CA which has a trusted root in the (old) Android store.
