Old android tablets can't connect to LE certs anymore

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
hhtps connection
It produced this output:
Trust Anchor for Certification Path Not Found
My web server is (include version):
Apache 2.4.18
The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.27.0

I've read here that "in early February" long chains will stop working. Not sure exactly what that means, but all of my customers who have legacy devices in the field stopped working. I was trying to figure out a fix late last night, but could not. I ended up spending $1k to DigiCert to get certificates so that I could get my customers back up and running. Now that things have calmed down, I was wondering if I will be able to switch back to LE next year, assuming I am unable to replace all of the legacy hardware out in the field (I know that's an option).

Hi @aviators99, and welcome to the LE community forum :slight_smile:

I don't understand...
What exactly did you pay them $1k for?

Were they unable to provide you with a trust anchor?
Were they unable to help you "use" their cert?

SSL Server Test: www.ppcheckin.com (Powered by Qualys SSL Labs)

You really need to secure this system.


That error message was from the LE certificate, not the DigiCert. The DigiCert works fine.

That's what DigiCert charges for a Wildcard cert. I paid $0 when I was using LetsEncrypt.

The impending incompatibility with old android was first raised in 2021 when the DST Root CA X3 root expired [actually the first article is 2020]. An alternative is to switch to a CA that has a root certificate already present in the version of android you are targetting, that might be ZeroSSL or Buypass Go. or perhaps Google Trust but eventually these roots will also expire and old devices will stop working (just like old ipads etc stopped working years ago).

You can still temporarily request certificates using the old DST Root CA X3 chain using the certbot --preferred-chain "DST Root CA X3" option but only until June 2024, if you have a relatively current version of certbot, your 0.27.0 version is from 6 years ago.

[Btw, Comodo do a 1 yr wildcard cert for $59, not helpful now though]


can you push an update onto those devices?


More likely I would send them a new tablet, but that will take some time, and I was looking for an immediate solution, since they were all down.

1 Like

Interesting. This is directly answering my question about what I should do next year, and looks like a good solution. I just checked one of my Android 6 tablets, and Comodo does appear to be in its trusted credentials. Thank you.

This would have been really helpful last night. At least it would have given me some time, and perhaps I would have found Comodo. I did do an apt-get for certbot, and it told me I was running the latest version...not sure what happened there.
Hopefully this answer will help someone else.


Is your system an android app that talks back to an API or is it a webview back to a website you host? If it's a web view there may be options less tied to the operating systems own certificate store: Mobile/GeckoView - MozillaWiki


It's API calls.

GTS does the same for free, I think. And they link back to GlobalSign.

Edit: I am not sure about the chains they serve via acme, though.


Wow, there are still webservers serving RC4? :scream:


YES: SSL Server Test: www.ppcheckin.com (Powered by Qualys SSL Labs)


You are ultimately going to have a few options:

  1. Install the Let’s Encrypt root on the devices
  2. Use another CA which is trusted by those devices, which you’re doing now
  3. Update the software on the tablets: if it’s a custom Android app, updating it to include the needed roots. Or if it’s a website, I believe Firefox mobile on Android supports our root and will work on older devices.
  4. Replace the OS or hardware. The OS are EOL for many years and have unpatched security holes. They are not suitable for handling personal information in a professional setting.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.