My company has plenty of old Android platforms on market and it's not possible to upgrade the OS version.
We noticed that Let's Encrypt updated the statement to illustrate that, the impact will be gone since the cross-sign will be continued, and DST Root CA X3 can still function even though it's expired, thanks to Android design.
However, what still makes us worry is the below statement:
"perhaps as early as June 2021, we will be making a similar change to what we intended to make this January. When we make that change, subscribers will have the option to continue using DST Root CA X3 by configuring their ACME client to specifically request it."
So, if the website owner does not specifically request to use DST Root CA X3 chain, doesn't that mean our old Android platforms still cannot access those sites using HTTPS?
To solve the above potential risk, we are planning to update our Android firmware to put the ISRG Root X1 .crt into the old Android platforms. And so far test works.
We notice that ISRG Root X1 need to be renewed every 90 days, but I assume we don't have to do that for our Android platforms since Android checks only “trust anchors” as you mentioned in the workaround of DST Root CA X3 expiration.
Could you provide us your insight about our plan? Let us know if we misunderstanding anything, thanks!