Update: Let’s Encrypt has found a solution that allows Android devices to remain compatible with their certificates. You can read about the extended compatibility here.
Since its inception, Let’s Encrypt has issued over a billion free certificates worldwide. The open-source CA has greatly contributed to HTTPS adoption; however, it hasn’t always been smooth sailing. Now, the users of Let’s Encrypt certificates should brace for another “storm”. Starting in January 2021, Let’s Encrypt certificates will have reduced compatibility with older devices and apps, affecting both users and website owners.
The culprit is an expiring third-party root certificate that Let’s Encrypt uses to cross-sing their certificates. It’s a standard practice for new CAs to cross-sign their certs with an existing CA’s trusted root. Back in 2015, when Let’s Encrypt emerged on the SSL scene, their own root certificate couldn’t be trusted by all the major browsers and operating systems. It takes years for new roots to pass all the security audits and regulations, so Let’s Encrypt picked the IdenTrust DST Root X3 certificate.
The cross-signing allowed Let’s Encrypt to issue valid and trusted SSL certificates right away. All was good until the expiration of the IdenTrust root loomed closer. It is bound to expire on September 30, 2021, and it creates a compatibility problem for Let’s Encrypt and its users.
Even though Let’s Encrypt will start issuing root certificates chained to their ISRG Root X1 on January 11, 2021, their root doesn’t have the same compatibility range as the IdenTrust root. Unfortunately, users of older browsers and platforms will receive the SSL connection warning when trying to access websites secured by Let’s Encrypt.
Android users – most affected by the issue
Not everyone will experience the reduced compatibility. The main affected group is the users of Android 7.1.1 or earlier. And, while for some, such old versions may seem archaic, over 30% of Android devices are still running them. These users won’t be able to access websites with Let’s Encrypt certificates. Instead, browsers will greet them with off-putting certificate errors.
Let’s encrypt has a huge problem on its hands, but it’s not their fault that many prominent platforms are so slow in issuing software updates. Most of the issue stems from the way manufacturers of mobile phones use the Android OS. When Google releases an update, it doesn’t go straight to all the devices using it.
Most of the time, manufacturers ignore the older gadgets, worst case scenario the older phones can’t even support the latest update. That’s why millions of Android devices use out-of-date operating systems that can’t trust the new Let’s Encrypt root certificate.
Besides Android, users of older Java versions (before 1.8.0) will also face compatibility issues and receive certificate warnings when accessing Let’s Encrypt protected websites.
How can you solve this issue?
If you’re a site owner, the quickest and practical solution is to switch to another Certificate Authority. Commercial CA’s have a 99.3% browser compatibility, including older versions and server systems. They use their own trusted roots and cross sign using their own older roots for the best compatibility.
A free alternative to Let’s Encrypt may be CloudFlare and Amazon certificates, but you can use them only as long as you remain their customer. The closest to Let’s Encrypt in terms of features is Positive SSL, an affordable Domain Validation certificate. Unlike Let’s Encrypt, it also includes a static site seal and an SSL warranty.
If you don’t want to replace your Let’s Encrypt certificate, you can warn your visitors about the impending issue and ask them to upgrade their Android devices. However, most users aren’t tech-savvy and won’t go through all the hassle to visit a site. You can stop supporting older versions, but this again will angry your users and flood your customer support with complaints.
The most sensible option is to switch to another CA unless Let’s Encrypt comes with a solution until the New Year.