LetsEncrypt certificates fails on Android phones running Android 7 or older

Help
1

The app using LetsEncrypt certificates fails on Android phones running Android 7 or older .
Same applications on other phones with newer android versions are working fine.

The error received in the android application is:

java.security.cert.CertPathValidatorException: Trust anchor for certification path not found

It could be that we need some additional server configuration steps to support older android versions.
We suspected the issue was because private key algorithm being used was Elliptic Curve (EC) instead of RSA.
We updated certbot version to 2.60 and re-created certs , mentioning the Key Type as RSA, to see if it fails for older android versions. The same behavior was seen.
sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --key-type rsa --preferred-challenges dns --debug-challenges -d abc.def.ghi.com

We tried a couple of options we found online.

We passed fullchain.pem (which includes intermediate cert) instead of using cert.pem for the 'in' parameter.

sudo openssl pkcs12 -export -out /cert.pfx -inkey /etc/letsencrypt/live/abc.def.ghi.com/privkey.pem -in /etc/letsencrypt/live/abc.def.ghi.com/fullchain.pem -passout pass:

After we switched the certificates to Microsoft-App certs older versions of Android were working fine.

Can the Let's Encrypt certificates work for Android 7 and older?What should be the procedure to get them to work?

2

Please read the following:

TLDR; older Android can be supported now using the "Long Chain", but you will not be able to use this chain after 2024-09-30 and must find an alternative solution before 2024-06-06.

9 Likes
3

Other options for legacy support include:

(neither is available via Let's Encrypt. both expire in 2028, but android might not care)

4 Likes
4

To elaborate on what @9peppe is suggesting you can consider switching to a different (usually free) Certificate Authority instead of Let's Encrypt, if old Android compatibility is very import to your service. Each certificate authority will have documentation to show how to use their service. Examples you can try include ZeroSSL, Google Trust Services, BuyPass Go, SSL dot com but you will need to test for device compatibility yourself. https://acmeclients.com/certificate-authorities/

You are correct that Key Type can also affect compatibility across devices (mainly because it then affects which cipher suites your server will use to communicate) and RSA is the most broadly supported on older devices.

3 Likes
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.