Question about ISRG root

I have read this document:

it is indicated:

How can I mitigate this change?

You can manually configure your intermediate to the cross-sign by IdenTrust.

However I don't know how to manually configure this. Is there any documentation?

This is for every ACME client different.

Im using certbot .............................

I sense you're a little bit agitated, probably because you thought I own a crystal ball to magically know the ACME client you used. I don't. Please add such vital information to your post in the future, as we can't know such information if you don't provide it. Misinterpreted the long line of dots...

As to your question: please see the --preferred-chain option for certbot in the certbot command line options documentation.

Also note that as far as I know, the linked announcement is already outdated. See:

1 Like

I think the ................. were to meet the 20 char minimum - not a sign of user mood.

1 Like

Yes :smiley:

Sorry If I was totally unclear. some colleges just told me we will suffer 30% drop in android users as of January due to letsencrypt and I was really horrified.

So it seems according to this, hopefully i need to do nothing and will maintain all my users? :thinking:

Ah, I see, I did not think of that, thanks. (I always use   to fool Discourse.)

That totally depends on the Android version ecosystem of your users. If you mostly have "advanced" users using only recent versions of Android, you have a totally different Android ecosystem compared with more legacy users running very old versions. I think 30 % is a lot though.

That's the purpose of the plan in the most recent announcement indeed.

1 Like

It probably also depends a lot on country and language; I haven't looked at these statistics much recently, but I recall that the prevalence of out-of-support Android devices (or other out-of-support operating systems) could often vary a lot from one country to another.

I just found these tools that offer comparisons of mobile device versions by country (I don't know how large or representative their samples are, since they're probably based on visits to a specific set of web sites).

1 Like

The article is a little ambiguous .

first it indicates:

I’m a Let’s Encrypt subscriber, what do I need to do? In the vast majority of cases, nothing. If you want to double check, please ensure that your ACME client is up-to-date.

Then it continues:

When we make that change, subscribers will have the option to continue using DST Root CA X3 by configuring their ACME client to specifically request it.

So I don't know exactly what to do. I have many users that are using old android and I don't want to lose them. most services in my website are using certbot for getting certificate. But some of them have their own implementation of letsencrypt renewal. So I don't know what should I do for all of them.

@hnaseri With "The option to continue using DST Root CA X3" they mean the current situation, where the intermediate is directly cross-signed by DST Root CA X3. When the aformentioned chance has been put in effect, this current chain will become an alternative chain next to the future default chain with a cross-signed ISRG Root X1.

I'm not a technical person. But I can follow guides.
Now I have a service which its lets encrypt is renewed today.
I see this in its certificate page:

Does this mean Android < 7 wont be able to use this service? If so, what should I do?

You can't trust browsers to check a chain: they can build their own chain as they please with other (cached) intermediates.

You can use external sites such as https://www.ssllabs.com/ssltest/ to see which chain is sent by the server.

2 Likes

Just to add something to what @Osiris said. You can also use some tool like openssl to check your site's trust chain.

$ echo | openssl s_client -connect talk.zabanshenas.com:443 -servername talk.zabanshenas.com 2>&1 | grep 'depth'                                       0 < 11:37:56
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
depth=1 C = US, O = Let's Encrypt, CN = R3
depth=0 CN = talk.zabanshenas.com
2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.