How long will Libby/Overdrive cert work?

Hi. I'm just a dumb user of a book reader app called Libby from Overdrive. For whatever reasons, I'm trying to keep an old Android 7.0 tablet running with their Libby app (not via browser).

I'm looking for information about the (presumably cross-signed) certificate libbyapp.com is using to see how long I have to hack the tablet to get it to accept the ISRG Root X1 cert. (And how long before my wife is crying for me to fix her beloved and irreplaceable old tablet.)

Libby's statement is that their app won't work (with Android versions that don't trust the X1 cert) after mid April this year, but it's still working in mid May.

From ssl-checker, this is what I see about the libbyapp.com server cert:

Common name: *.libbyapp.com
SANs: *.libbyapp.com, libbyapp.com
Organization: OVERDRIVE, INC., A PUBLIC BENEFIT CORPORATION
Location: Cleveland, Ohio, US
Valid from April 4, 2024 to April 4, 2025
Serial Number: 042acba2ef90cee10986daf922c5b560
Signature Algorithm: sha256WithRSAEncryption
Issuer: DigiCert Global G2 TLS RSA SHA256 2020 CA1

Since this points to the cross-signer (and the app still works!) I assume this is one of the last cross-signed certs. Does that make sense?

But I'm confused that it's valid for a year, not the 90 days I'd expect from a LE cert. Any ideas about this?

Does that extra-long validity mean it will continue to work until the DigiCert G2 expires Sept 30 2024 as indicated on the LE 'Shortening the Let's Encrypt Chain of Trust - Let's Encrypt' page?

Sorry for all this. Just trying to see how much time I have left, since I haven't yet managed to get root on her dear old tablet to get it to trust the new X1 cert.

Thanks for your help!

Jim

1 Like

That's not a Let's Encrypt certificate.

Let's Encrypt only issues DV certificates, and that's either an OV or EV certificate, as it has something meaningful as "Organization"

6 Likes

I agree with Giuseppe: I'm not seeing any link with Let's Encrypt in the information you've provided.

The to be phased out cross-signed intermediate was signed by DST Root CA X3 and there's no other cross-sign.

4 Likes

It could be that the owners of libbyapp.com decided to purchase a new DigiCert certificate that is more compatible with the old Android versions.

5 Likes

CT Logs would seem to agree; that domain has used Let's Encrypt exclusively from 2021 through earlier this year (and Digicert before 2021), but as of last month now has some certificates from Google Trust and Digicert (for different sets of names). It looks like they're at least exploring multiple CAs.

If it's just for that one device, you might be able to add ISRG Root X1 directly to its trust store somewhere in the really-advanced settings. That would allow it to continue working for connecting to systems which are still using Let's Encrypt. (Though of course, if the device isn't getting security updates, even if it's accepting the certificate that doesn't mean that the connection is actually secure.)

6 Likes

Thanks for the replies, guys. And special thanks to @petercooperjr for the link to CT Logs! That gives me some info to go back to Libby support and see if i can get a better answer about how long their app will work with the ancient Android 7.0 cert list!

Getting root on my wife's tablet and installing the X1 cert in the system store would fix this problem (if there still is one). Flashing a new ROM would give her something that also had much more current security updates. Under consideration.

Thanks again!

3 Likes

You don’t need to root Android 7 devices to install CAs

4 Likes

You may not need to have root to install a CA, but you may need to have root in order to have an app trust a CA installed by the user. Starting with Android 7 apps targeting it or above default to only accepting certificates that are part of the system's store, user installed certificates are not trusted by default. In order to get them trusted, the app would have to be configured to trust them, or the user would need to use root capabilities to move it from the user's store into the system's store.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.