We’ve recently encountered an issue with TLS certificates issued by Let’s Encrypt. After the last refresh cycle, it seems that the certificates are no longer being bundled with the root Certificate Authority (CA), and only the server certificate is provided.
This change has caused our Android app to reject the connection, as it appears Android requires the root CA to be included in the chain for verification. Interestingly, this issue doesn’t affect iOS, which accepts the server certificate without the root CA.
Here’s what we’ve tried so far:
Temporarily appending the root certificate to the certificate secrets, which resolved the issue temporarily.
However, we are looking for a more permanent solution. Specifically:
Is there a recommended approach to ensure that Android apps can accept Let’s Encrypt certificates without requiring the root CA to be manually appended?
Are there any best practices for handling this scenario on the server-side or app-side to ensure compatibility with Android?
Any advice or guidance would be greatly appreciated!
Have you appended the https://letsencrypt.org/certs/isrg-root-x1-cross-signed.txt certificate to the chain? This certificate is going to expire soon, and will not be renewed.
If you do not wish to update the trust store on old Android phones, and your application is browser based, the firefox uses his own certificate trust store. You can use that alternatively.
Other option is to use certificate from different CA than Let'sencrypt.
I believe LE certificates were never bundled with root CA certificates (barring cross-signed cert, which was not the root of trust). When requesting a certificate, ACME client is informed about any necessary intermediate CA certificates, which it should download during each renewal, since these intermediaries could and will change (LE currently uses multiple intermediates randomly). And servers should not send root certificates, since this is usually pointless, as proper clients must ignore those (again barring cross-signature certs).
How are you getting and deploying certificates on your server?
I'd start by upgrading the version of Android.
If you can't do that, then you might as well switch to another free CA that has a longer root expiration date.
[that is just kicking the can down the road - eventually, all those trusted root certs will expire]