Hi. I'm just a dumb user of a book reader app called Libby from Overdrive. For whatever reasons, I'm trying to keep an old Android 7.0 tablet running with their Libby app (not via browser).
I'm looking for information about the (presumably cross-signed) certificate libbyapp.com is using to see how long I have to hack the tablet to get it to accept the ISRG Root X1 cert. (And how long before my wife is crying for me to fix her beloved and irreplaceable old tablet.)
Libby's statement is that their app won't work (with Android versions that don't trust the X1 cert) after mid April this year, but it's still working in mid May.
From ssl-checker, this is what I see about the libbyapp.com server cert:
Common name: *.libbyapp.com
SANs: *.libbyapp.com, libbyapp.com
Organization: OVERDRIVE, INC., A PUBLIC BENEFIT CORPORATION
Location: Cleveland, Ohio, US
Valid from April 4, 2024 to April 4, 2025
Serial Number: 042acba2ef90cee10986daf922c5b560
Signature Algorithm: sha256WithRSAEncryption
Issuer: DigiCert Global G2 TLS RSA SHA256 2020 CA1
Since this points to the cross-signer (and the app still works!) I assume this is one of the last cross-signed certs. Does that make sense?
But I'm confused that it's valid for a year, not the 90 days I'd expect from a LE cert. Any ideas about this?
Sorry for all this. Just trying to see how much time I have left, since I haven't yet managed to get root on her dear old tablet to get it to trust the new X1 cert.
CT Logs would seem to agree; that domain has used Let's Encrypt exclusively from 2021 through earlier this year (and Digicert before 2021), but as of last month now has some certificates from Google Trust and Digicert (for different sets of names). It looks like they're at least exploring multiple CAs.
If it's just for that one device, you might be able to add ISRG Root X1 directly to its trust store somewhere in the really-advanced settings. That would allow it to continue working for connecting to systems which are still using Let's Encrypt. (Though of course, if the device isn't getting security updates, even if it's accepting the certificate that doesn't mean that the connection is actually secure.)
Thanks for the replies, guys. And special thanks to @petercooperjr for the link to CT Logs! That gives me some info to go back to Libby support and see if i can get a better answer about how long their app will work with the ancient Android 7.0 cert list!
Getting root on my wife's tablet and installing the X1 cert in the system store would fix this problem (if there still is one). Flashing a new ROM would give her something that also had much more current security updates. Under consideration.
You may not need to have root to install a CA, but you may need to have root in order to have an app trust a CA installed by the user. Starting with Android 7 apps targeting it or above default to only accepting certificates that are part of the system's store, user installed certificates are not trusted by default. In order to get them trusted, the app would have to be configured to trust them, or the user would need to use root capabilities to move it from the user's store into the system's store.