Continuing the discussion from Users of older Android and Windows 7 not able to access website:

Hello Community,

Greetings!

We recently upgraded our servers from Windows Server 2012 R2 to Windows Server 2022 R2.
This solution worked well for Windows Server 2012 R2 suggested by @rmbolger. But when we implemented the same steps for Windows Server 2022 R2, it did not work.

Sharing below site that is working well on Windows Server 2012 R2:

Sharing below site that is not working on Windows Server 2022 R2:

@rmbolger @rg305 @jsha and other experts please help on this.

Have a good day!

Thanks,
Parth

Your server 2012 probably happens to have an outdated certificate trust store settings which prevents DST Root CA X3 from being disallowed, However DST Root CA X3 has been disallowed in the microsoft trust store since February 2023 (http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab).

Subject Identifier: dac9024f54d8f6df94935fb1732638ca6ad77c13
  8 attributes:

  Attribute[0]: 1.3.6.1.4.1.311.10.11.104 (CERT_DISALLOWED_FILETIME_PROP_ID)
    Value[0][0], Length = a
 1/02/2023 8:00 AM

I would suggest that you will no longer be able to get the expired DST Root CA X3 working using IIS on any up to date version of Windows.

The "long chain" is no longer the default from February 2024 and disappears from June 2024, so you will have no choice but to change at that point: Shortening the Let's Encrypt Chain of Trust - Let's Encrypt

As a workaround you could change CA to BuyPass Go, Google Trust or ZeroSSL (for instance) but you would need to test which ones have root certs trusted by your target clients.

OR

You could spin up an up-to-date Linux (flavored) VM.
[within the Windows Server itself - no additional hardware required].
[just: 1+ (shared) CPU and 1GB+ (dedicated) mem and a few GBs of disk space should be enough]

And use a reverse proxy inside that VM to handle all your inbound HTTP(S) connections and certs.

Note: presumes the Windows Server hardware supports virtualization

Yes you could also do that on the same Windows machine, just run your IIS services on a different port and reverse proxy back to them from Apache, nginx or Caddy. It only buys you a few months though.

Thank you @webprofusion and @rg305 for the reply.

If we replace "IdenTrust DST Root CA X3" with "IdenTrust Commercial Root CA 1" as per the below link of Identrust, will the issue resolved?

Thanks

Only if you'd also get a certificate for your domain name, signed by a chain leading up to "IdenTrust Commercial Root CA 1", which is not offered by Let's Encrypt.

Thank you!

When ISRG Root X2 certificate will be rolled out at that time older Android device (Android < 7.1.1) support will be there?

Older Android do not know about ISRG Root X2 so it does not help them

ISRG Root X2 has already been rolled out. Older Android versions won't get any updates any longer and those Android versions don't have automatic OTA updates of their root store. (Since Android 14 the root certs are able to get updated without the requirements of a complete firmware update.)

Not sure why your question is specifically the X2 root and not X1? X1 has been rolled out for a long time now, but not for Android <7.1.1.

Do you suggest any solution to support Android 7.1.1 and earlier? Do we need to move to another SSL provider for the same?

Other (free) certificate providers are often better supported on Android <7.1.1. For now. Ultimately, as root certificates always have an end date, Android <7.1.1 will only have expired root certificates.

If you look at ACME CA Comparison - Posh-ACME there are a few other free ACME servers available. You could check the root certificates of the other CAs and check their presence in Android <7.1.1 and choose one with the latest notAfter date.

E.g., the Buypass root certificate "Buypass Class 2 Root CA" (used by their free ACME server) was added in late 2012 to the Android source code (162afc579a4e05933db8ee63f79cc40a7b62cd49 - platform/system/ca-certificates - Git at Google) and is valid till somewhere in 2040 (!). Thus, it might be available since perhaps 4.2.2 or 4.3, not sure when the commit was actually integrated into a release.

Another practical thing is that the Buypass ACME server doesn't require stuff like EAB, which makes issuing certs a lot more easy compared to the other free ACME servers (except Let's Encrypt of course).

Thus, depending on your target Android version (nobody should walk around with such old phones, looking at all the security risks involved), one or another free ACME server might take your fancy.

I guess if your market is India, with 600M smartphones, even a 1% market share is still potentially 6 million users, secure or not! Mobile & Tablet Android Version Market Share India | Statcounter Global Stats

Still, it isn't wise.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.