Back in November, we found out that a good chunk of websites using Let’s Encrypt certificates would stop working on older Android devices next year. The cause was an expiring partnership with IdenTrust, who cross-signed the company’s keys for older platforms. Thankfully, a solution has been established, and sites using Let’s Encrypt certificates don’t have to worry about issues with older Android devices next year anymore.
It’s a pretty technical subject, but in short, Let’s Encrypt was relying on a cross-signed certificate for some devices (like Android devices running versions prior to 7.1.1 Nougat) that didn’t have its root certificate. Two months ago, Let’s Encrypt revealed it was ending that arrangement next September, so its cross-signed certificate would stop working on those devices. That means sites and services that used Let’s Encrypt to secure their HTTPS connections would break, and that’s a good chunk of the internet these days.
The various chains of trust covered by this news.
Fortunately for us, the partnership between IdenTrust and Let’s Encrypt has been renewed, though the new solution works slightly differently, cross-signing Let’s Encrypt’s root certificate as well. You can check out the nitty gritty at the source link below. Speaking to a developer I had on-hand to help break it down (Thanks: Matthew Franklin), the solution is “kinda weird,” but otherwise fits within standards for certificate validity, and though it adds an extra step in the chain of trust in some cases, it should mean things continue working smoothly and securely.
Both owners of older Android devices and Let’s Encrypt subscribers shouldn’t need to do anything for this workaround to function next year. Some specific developers might need to check their certificates aren’t hardcoded, but for everyone else, this change won’t require any steps to accommodate. Let’s Encrypt says the change should be “completely invisible” to end-users, and sites and services using Let’s Encrypt certificates should continue working on affected Android devices without having to resort to using a browser like Firefox with its own certificate store.
This isn’t a forever solution, as the new cross-signing arrangement is only good until 2024, and it isn’t clear if another workaround is planned to limp along support for older devices after that. Still, folks using pre-7.1.1 Android devices have another three years to upgrade before sites and services start to break — and given how insecure those older versions are now, they really should.