Connection is not private on Android Chrome

Dear LetsEncrypt Team,

We encountered "Connection is not private" err_cert_authority_invalid on android 6.0.1 (chrome) ,
the certificate is signed by ISRG Root X1.

I read on this thread

it say we should change the intermediate certificate to signed by DST Root CA 3.
However, DST Root CA 3 would be expiring soon in 30 Sep 2021?

And in this following article

it mentioned:
Platforms that trust ISRG Root X1, include

  • Android >= 7.1.1 (but Android >= 2.3.6 will work by default [due to our special cross-sign]

If that's the case, the ssl signed by ISRG Root X1 should work on Android 6.0.1?
Please advice if there is anything we need to check or any setting we need to do?

Thank you very much

1 Like

Yes, the default Let's Encrypt chain is Leaf > R3 > ISRG Root X1 > DST Root CA 3 (expiring), this is to enable support for old android versions which don't have the ISRG Root X1 in their trust store.

It sounds like you have specifically set your preferred chain to 'ISRG Root X1' which is not what you want if you wish to remain compatible with old Android versions.

If neither solution is appropriate you can look at switching to other ACME CAs (BuyPass Go, ZeroSSL etc)

1 Like

If we modify the chain to ISRG Root X1 > DST Root CA 3 (expiring),
it will still not work after Sep 2021? :stuck_out_tongue:

Thank you.

The community forum post at Production Chain Changes explains in more detail that

This has to do with the specific behavior of Android in not enforcing validity dates for root certificates, unlike those for other kinds of certificates, which are enforced. As the article you linked to explains

This solution works because Android intentionally does not enforce the expiration dates of certificates used as trust anchors.

(Certificates used as trust anchors is, in this context, another way of referring to root certificates.)

There is no way to guarantee that the other chain will work for every device or every client after September 30, but it should still work for most Android clients for the reasons described in these articles.


Thank you for the info.

For windows server, where i can change the ssl chain?
iam a complete idiot on this and our hosting provider does not provide much support for letsencrypt.


1 Like

That may depend on the ACME client used.
You can test your site with "SSL Labs" to see which chain is being served now.

You are most likely using either win-acme or Certify The Web to request/renew your certificate. Both these apps will default to the correct certificate chain for Android compatibility, but you may have modified the default setting to prefer 'ISRG Root X1'.

To fix this, remove the setting specifying ISRG Root X1 as your default chain, then request your certificate again. The chain itself is stored initially in the PFX file that's built, then that PFX is stored in the windows certificate store, but from there the chain actually served by windows can vary (it can build an alternative chain that it thinks is more valid).

An alternative work-around is to switch to a different CA which has a trusted root in the (old) Android store.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.