"I use an old Android device, what do I need to do? Nothing! We’re trying to ensure that this change is completely invisible to end-users."
Well, this seems not to work with my Android 4.4 phone. There are several sites with Let's Encrypt certificates that are unreachable since October, the perhaps most well-known being
https://community.letsencrypt.org/t/understanding-dst-root-expiry-and-the-older-default-cert-chain/164681/34 recommends "removing the DST root cert (2e5ac55d.0)", but I don't even have this certificate on my phone.
Is there any cure?
Do you have examples of sites not working? And also please show the corresponding error message in Android, preferably with a screenshot.
It's possible that site operators have decided
not to implement the Android pre-7.1 compatibility. I.e.: don't use the default certificate chain but intentionally chose the alternative chain.
Do you have the new ISRG root ca on the device? Else removing DST root alone wouldn't work.
Also the old DST root file name might be different on your device.
That should not be necessary
if the server uses the default "Android compatibility" chain. Of course the DST Root CA X3 should be available to Android and not be deleted to retain that compatibility.
If the server indeed uses the non-default, alternative chain
without the Android compatibility, then manually installing the ISRG Root X1 root certificate might indeed help.
Is there any cure?
Which browser and version are you using?
We recently learned that
stackoverflow.com (and example given in original post) uses the long chain but only with proper SNI host name. Without that it sends a faulty cert. Someone was going to contact them but seems like a problem still
Can you test with these two sites on that device and see if you can get to them?
They're just intended for testing, whereas testing with something like stackoverflow might surface other problems. (Like I don't think Stack Overflow supports TLS 1.0, whereas I think old Android doesn't support TLS 1.2)
Another test site that might be helpful to see the output of:
Well, that's very odd (and stupid).. Why would someone send an ancient certificate chain and expired end leaf certificate for non-SNI connections? (Rhetorical question.)
Also, Android 4.4
should support SNI. At least, the Android browser does, according to a random site I googled...
I'm able to use:
to Stackoverflow without any problem
Right, sorry. The thread I linked to was for a custom app not handling stackoverflow right and it was not doing SNI right (among other things).
It does behave odd for non-SNI (or wrong host name) but probably not cause here.
It might be if
@FredFour runs ancient non-default browsers on his Android perhaps..
Actually the default "Internet browser" is the one giving the problem:
You have to use
Chrome (or other non-default) browser.
But that's not a TLS issue, right?
Yes, TLS issue.
And also trust issue.
I can't tell from the error message in your screenshot, I've got to take your word for it. Looks like a closed lock in it.
Good catch. And, oh good grief. When will these failure permutations end - yikes.
Does that "default browser" work on
https://helloworld.letsencrypt.org? I have a hunch that the issue with old devices like this is mainly about TLSv1.0 going away industry-wide, rather than anything root/trust related.
The default is sooo bad, I can't even connect to
According to SSLLabs, Android 4.4.2 supports up to TLSv1.2:
Qualys SSL Labs - Projects / User Agent Capabilities: Android 4.4.2