Let’s Encrypt has workaround for impending site problems on old Android versions
Let’s Encrypt has a solution ready to ensure that older Android versions can continue to visit sites with expired LE certificates next year. Let’s Encrypt extends the signing period of the relevant certificates, despite their expiration.
The workaround guarantees, according to Let’s Encrypt, that users with Android 7.1.1 or older can continue to visit sites with Let’s Encrypt certificates from September next year without problems or warnings, even if they are officially expired certificates. Certificate Authority IdenTrust agrees to renew the signing of Let’s Encrypt’s ISRG Root X1 certificate from its DST Root CA X3 certificate. This cross-signing applies for a new period of three years.
IdenTrust’s DST Root X3 certificate still expires on September 1, 2021, but Android does not actively enforce the expiration dates of certificates used as trust anchors. However, older Android versions now retrieve the ISRG Root X1 certificate as an extra intermediate step in the certificate chain to set up the secure connection, which makes the TLS handshake less efficient. Let’s Encrypt says it’s worth it given the extra compatibility. Incidentally, the organization emphasizes that end users do not have to do anything themselves.
Let’s Encrypt expects to implement the new certificate chain in late January or early February. This means that the previous plans of the organization to switch chains on January 11th are no longer going ahead. Before the new period for cross-signing ends, which will be the case at the beginning of 2024, Let’s Encrypt will still take this step, possibly as early as June 2021. Users can then choose to continue using DST Root CA X3 with a special request.
The issues were raised by Let’s Encrypt from November. To quickly build support for Windows, Firefox, macOS, Android, iOS and Linux, Let’s Encrypt used cross-signing via DST Root X3 in its early days. That certificate will expire on September 21, 2021. Android versions older than version 7.1.1 will no longer be updated and will continue to rely on DST Root X3. More than 30 percent of all Android devices are still running such an old Android version and were therefore in danger of receiving certificate warnings if they opened sites that work with an https certificate from Let’s Encrypt from September 1, 2021.
Update, Wednesday 11am: Clarified that Android users don’t need to do anything and removed passage about the step Let’s Encrypt wanted to take in January because it was unclear. Thanks to Sleutelman.