I use cerbot to generate my letsencrypt certificates.
I have an issue that started recently and I'm not sure what is the cause.
I'm not an expert in cerficate and it took me 3 days to figure this out.
My customer are running old Android devices with S5 on them.
These old phone require a certificate authority to bee present in the chain.
When generating my certificate with Certbot I now do not receive the 3rd certificates. I'm not sure exactly what each part of the chain is, but certbot or letsencrypt is not giving me the certificate I need to run those old devices. After adding the 3rd certificate manually I was able to get my domain working again.
For some reason cerbot or letsencrypt use to give 3 certificates in the fullchain.pem and 2 certificate in the chain.pem. Now the chain.pem has only 1 certificate and the fullchain.pem has 2 certificates.
Once I figured out the third was missing I copied the third certificate from another server for which the certificate had not been renewed with cerbot yet. Once I added the third certificate everything started working.
What are the 3 certificaes in the fullchain.pem?
Why the last certificate is not provided anymore when requesting a new certificate with letsencrypt?
From what I'm reading it is the "intermediate certificate (provided by Let's Encrypt)" that I'm missing.
And now each time I'm generating a new certificate the intermediate certificate is not generated in the file anymore.
What happens if I still need to provide support to older devices.
If I use another provider then letsencrypt for that SSL certificate will they provide me with all the certificate I need?
Or Does this means it's really the end of life of all those older devices?
You can temporarily continue to support those devices by requesting the alternate chain (configuring certbot with --preferred-chain "DST Root CA X3"). This will stop working on June 6th, 2024.
If you have a lot of control over your customers' android devices (e.g. if you have them enrolled in an enterprise environment) you might be able to install ISRG Root X1 in the trust store. This seems unlikely, but is worth mentioning.
If you have less control over your customers' android devices (e.g. you can communicate with your customers and encourage them to do something), you can try to convince them to install and use Firefox Mobile. That browser uses its own trust store, rather than using the device trust store, and trusts ISRG Root X1.
Alternatively, you could support those other devices by requesting certificates from a different CA (configuring certbot with --server "https://some.other.ca/their/acme/directory"). You'll need to do your own research on which other CAs offer ACME endpoints and provide certificates which are trusted on old Android devices.
Otherwise, yes, these devices are finally reaching the end of their lifetime. It is worth noting that devices that old have not received any other security updates for a very long time, and should be replaced if at all possible anyway.
Yes I'm developer of the app.
Yes the app has a login which connects with our server over https and data is exchanged between the app and our server over https.
letsencrypt runs on our server to keep the certificate updated.
Once the certificate renewed after Feb 8th, the app returned this error:
javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
Which certificate will I put in the app?
letsencrypt generates new certificates every 90 days. I'm guessing your not referring to that certificate.
Or do I just put the key certificate?
If by "the app", you mean a TLS client to the system that has the cert, then:
"The app" should NOT have the key [only the server should ever have the key(s)].
If by "the app", you mean a program that runs on the server so that TLS clients can connect to it securely, then:
Definitely; The server will need the cert, all the intermediates, and the key in order to create secure connections.
What @schoen said is correct, you would include the self-signed ISRG Root X1 and ISRG Root X2 certificates in the Android app, as documented by the page in my previous post.
Thanks I didn't understand that the certificates can be actually added in the code of my phone App. I understood that the user could install the certificates manually in their phones.
If I understand correctly the ISRG Root X1 expires in 2035 and ISRG Root X2 the 2025-09-15. Adding both certificates will insure that those old Android devices will continue working over HTTPS through my app only?