Support for Android 7 and older from Oct 2024

rxunique · April 11, 2024, 10:19pm

I've been researching and got my head around the cross signed ISRG X1 expiring on 30 Sep 2024. And shortening of certificate chain from 6 Jun 2024.

I have a simple question and it's bad news answer.

I wasn't able to find any direct confirmation hence asking here

Since Android 7 and older rely on DST Root CA X3, this basically means completely dead end from Oct 2024, not even a work around.

Well, the work around are equally bad news. Either not use lets encrypt, or upgrade firmware of all the android smart devices.

mcpherrinm · April 11, 2024, 10:23pm

Yes, you're reading that right. Once the cross-sign expires, Android prior to 7.1.1 won’t work out of the box with Let’s Encrypt.

If you are an application author, you can include the Let’s Encrypt root in your app, and users will have to upgrade.

If it’s your device, you can install the Let’s Encrypt root. Or for websites, you might be able to use an alternate browser like Firefox Mobile which ships its own set of root CAs. Or upgrade the OS.

If you’re a website operator, you may have to switch CAs.

rxunique · April 11, 2024, 10:56pm

Thanks for confirming. Unfortunately I'm not in position to package in extra CA

Patryk · April 12, 2024, 11:47am

Try other free CAs with ACME support: CA · acmesh-official/acme.sh Wiki · GitHub

Google Trust Services uses GlobalSign root cert they acquired, ZeroSSL uses Sectigo root cert.

nprugne · April 12, 2024, 1:17pm

Hello,

I've posted a solution on stack overflow to get Android clients whose trust store is out of date working again. I implemented it a bit empirically, without being sure that what I was doing was the right solution. Could someone give me some feedback? Is my implementation correct? Won't there be another problem in the future? Thanks in advance for your help.

Best regards,
Nicolas

Osiris · April 12, 2024, 1:22pm

Please don't include intermediate certificates, only root certificates. See e.g. New Intermediate Certificates - Let's Encrypt where Let's Encrypt writes how the usage of the intermediates is going to change soon.

If those Android versions support ECDSA, it's better to include ISRG Root X2 next to the X1 root you already mention.

nprugne · April 12, 2024, 1:40pm

Great, thanks a lot for your help, I've updated the answer on stack overflow to include the ISRG Root X2 certificate, rather than the R3 intermediate.