Let’s Encrypt has found a solution to the problem that older Android smartphones will soon no longer trust some websites due to an expired certificate. No action from end users is required.
To solve the problematic TLS certificates, Let’s Encrypt and IdenTrust agreed that the latter company would continue signing Let’s Encrypt’s ISRG Root X1 certificate for another three years through the DST Root CA X3 certificate that’s installed on older Android smartphones.
Expiration dates not enforced
This workaround takes advantage of the fact that Android does not actively enforce certificate expiration dates. Although the ISRG Root X1 certificate expires on 1 September 2021, the workaround will allow the phones to connect to websites encrypted with Let’s Encrypt.
By adding an extra step to the certificate chain, running TLS handshakes becomes a little less efficient, but Let’s Encrypt argues that the extra compatibility is worth the compromise. The cooperation with IdemTrust lasts for three years. This means that the older Android phones can continue to reach all webpages until at least early 2024.
Android versions before 7.1.1
In November, Let’s Encrypt sounded the alarms about support for older Android phones. When the organisation had only just been founded, it partnered with IdenTrust to quickly build support for its certificates. This enabled devices without Let’s Encrypt certificates to connect to websites encrypted via Let’s Encrypt.
The certificate used for this purpose called DST Root CA X3 expires on 1 September 2021. By now, most devices have received native support for Let’s Encrypt, but some devices that have not been updated for a long time are still dependent on the IdenTrust certificate.
Google has added support for Let’s Encrypt in Android version 7.1.1. Phones running an older Android version would no longer connect to Let’s Encrypt websites once the DST Root CA X3 certificate expires. With the new workaround, this problem has been pushed back by more than two years.