[help] Which certificates to install on Android 4.4

I went to the certificates page

  1. ISRG Root X1
    • installed: pem
    • successfully tested: host
  2. ISRG Root X2
    • installed: pem
    • successfully tested: host

However, the following hosts (given as examples) still fail:

  1. letsencrypt.org
  2. render.com

When I inspect the certificate chain for these failing hosts in a desktop browser, they appear identical to the X1 test site (using the R3 intermediate certificate). I'd like to understand what I need to do to make these work, as well.

Even more odd, the tests that fail are run by this sample app, which performs a simple GET request using URL.openConnection() in Java. However, these URLs do load in a WebView.. which, I believe, uses the same central key store.

Ultimately, I'd like to get these failing hosts to work in this sample app.. because a fix here will be applied to other/larger apps that are displaying the same networking behavior.

Please.. no trolls.. telling me that Android 4.x is too old. I always like my apps to support as many devices as possible. This should not only be possible, but it should be simple.. I just feel that I'm missing something obvious.


Others may wish to comment in more detail. But, I think you should review the below two topics to better understand the Let's Encrypt support for older Android and upcoming changes in that regard.

DST Root CA X3 Expiration (Sept 2021)

Pay special attention to this section and related links in that page

DST Root CA X3 will expire on September 30, 2021. That means those older devices that don’t trust ISRG Root X1 will start getting certificate warnings when visiting sites that use Let’s Encrypt certificates. There’s one important exception: older Android devices that don’t trust ISRG Root X1 will continue to work with Let’s Encrypt, thanks to a special cross-sign from DST Root CA X3 that extends past that root’s expiration. This exception only works for Android.

The DST cross-sign is expiring this year. The below topic explains this


Thanks for the reply. My understanding is that any cross-signed solution has either already expired or is bound to expire in the near future. Are you suggesting that installing the self-signed root X1 and X2 is not a viable path forward? It seems to work fine on my 4.4 test device.. with the caveats described.. that I'm attempting to fix.

1 Like

Another quick observation that I find confusing.. is that unless I'm going blind.. I don't see either of the X1 or X2 root certificates included in the current Android source code repo. I assume they would be included in modern Android.. but where are they?

update: nevermind.. my search query was wrong.. they are included ( X1 and X2 )

update: since I'm rooted and I don't really care about this device.. here is a test that I just did:

  • removed all user-added certificates
    • which allowed me to remove the lock screen PIN
  • mounted /system for read/write
  • backed up the contents of the directory: /etc/security/cacerts
  • deleted all root certs in this directory
  • copied all of the root certs in the Android source code repo into this directory
  • changed their file permissions to: 0644
  • Settings > Security > Trusted credentials
    • success.. all of the new root certs are recognized
  • repeated the previous test URLs

Maybe because the ones that fail are ECDSA certs and the others are RSA certs?


I think you're probably right. That last test.. where gitlab works (X2) but letsencrypt fails (X1) indicates that this is the problem. But.. the part that's confusing is.. why would the X1 test page work on this device?

update: I just checked the certificates page again to confirm.. but our assertion is wrong.. turns out that:

  • X1 is: RSA 4096
  • X2 is: ECDSA P-384

I was talking about the leaf not the root


Iirc that version only do ECDH with server with ecdsa cert
As normal dh is mostly deprecated (because of logjam or so) if server is using rsa cert without static cipher it will fail
This is from my hat so may not right


Hi @wb407,
I just installed these two Root Certificates
ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1) * Self-signed: der, pem, txt
ISRG Root X2 (ECDSA P-384, O = Internet Security Research Group, CN = ISRG Root X2) * Self-signed: der, pem, txt

On my Verizon Motorola DROID MAXX

  • Android version 4.4.4
  • System version 24.21.7.obake-maxx0_verizon.Verizon.en.US
  • Android security patch level 2016-04-01
  • Kernel version 3.4.42-g2730d20 hudsoncom@ilclbld35 #1 Sat Apr 16 01:02:35 CDT 2016
  • Build date
  • Sat Apr 16 00:51:01 CDT 2016
  • Build number
  • SU6-7.7

And these all work fine from Android version 4.4.4 Chrome 37.0.2062.117

1 Like

Hi @Bruce5051 ,
I appreciate your taking the time to test this yourself.
The issue that I described didn't seem to effect WebView (or Chrome) web browsers,
which was a mystery.. and I've since found a few obscure discussions on this topic,
which can all be summarized here.

WebView (and Chrome) somehow support more cipher suites that the native Android OS.
SSL Labs only reports which ciphers WebView supports, which is a bit deceptive (imho).
In any case, the hosts that I list which fail tests with v2.x will now pass with v3.x..
because v3.0 includes Conscrypt v2.5.2,
which adds support for many modern cipher suites that Android 4.x does not natively support.

It would be nice if this wasn't necessary,
but it's a very reasonable compromise to guarantee support for older devices.

Since this is a forum about Let's Encrypt and its certificates,
I'll conclude/close this thread.. because the issue wasn't caused by the certificates,
but rather an issue with hosts requiring a limited set of cipher suites..
that older devices don't directly support.


Yeah, and with more and more servers dropping TLSv1.0, it will become that much more difficult to connect via the native/default Android 4.x systems.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.