2

Scope: mobile - Android

Subject: Let's Encrypt certificate, ISRG Root X1

Hi, as Internet veterans know well, this certificate has expired since September 30th.

Many "obsolete" devices have been affected, experiencing an unpleasant block when accessing sites that use Let's Encrypt for SSL certificates.

The certificate root in devices no longer supported are therefore no longer valid.  This limitation would have affected systems from Android 7 onwards.  I have experienced too the inconvenience, with the unpleasant surprise of suddenly being denied access to a domain of my interest.

Many users, within that domain, have complained.  One of them suggested manually installing a certificate 'pem' directly from Let's Encrypt (https://letsencrypt.org/certificates/).

This operation worked, but then, shortly after the numerous complaints, the site was again visible even to those who had not followed the manual installation procedure of the certificate.

For this reason I removed the certificate immediately after, and indeed the navigation continued to give no more problems.

I then read (https://letsencrypt.org/2020/12/21/extending-android-compatibility.html) that Let's Encrypt had found a buffer solution to stem the incompatibility of the old certificate root with the SSL read by browsers (made except for Firefox, which does not give problems, since it has its own certificate's independent of the root ones mentioned).  This fallback solution is expected to work until early 2024.

After these premises and illustration of the matter, I would have a couple of doubts:

  1. How come I currently find myself among the user certificate's (not the pre-installed or automatically updated system ones) a certificate ISRG Root X1, issued by the issuer CA Internet Security Research Group (as many will know, at the base of Let's Encrypt), which even certifies a deadline of 6/4/35 (release date 6/4/15 - June 4th)?  that is, how is it possible that it has self-installed without my intervention?

Root certificate in user section

Certificate details

Details 2

  1. Is it possible that something as trivial as an obsolete certificate cannot be adjusted by the user, precisely by installing the new certificate issued (as I had done at the suggestion of the aforementioned user, evidently better informed)?  If the answer is that it is possible, then, on the fateful date of 2024, there will be hopes of keeping their browsers "alive" for owners of devices mounting, e.g., an Android 7 or older? How is it possible, moreover, that Google is unable to update these certificate's, regardless of whether the device is no longer supported by the manufacturer?
Robert
  • 20,025
  • 6
  • 47
  • 66
Bento
  • 165
  • 6
  • 1
    regarding 1) afair they increased expiration server side (don't ask me how) regarding 2) only for unlockable/rootable devices (or via exploit) https://android.stackexchange.com/q/231025 – alecxs Oct 30 '21 at 08:47
  • P@alecxs But about 1) how can be explained the presence of the ISRG Root X1 certificate without I having installed it from SD? (please look at the 2 pics I've added above) – Bento Oct 30 '21 at 09:10
  • I don't think it's new certificate – alecxs Oct 30 '21 at 09:12
  • @alecxs but in your opinion how is it possible it has been installed without my action? – Bento Oct 30 '21 at 09:27
  • I don't think this certificate was recently installed. In my opinion (which is probably wrong) it's the same certificate as before, just expire date has changed server side – alecxs Oct 30 '21 at 10:41
  • @alecxs Thanks, but notice that I had installed the updated root X1 certificate giving it a casual name 'xyzx', and after, as I've said in my question #1 above, I had uninstalled it. Before installing it (and also after uninstallation) the user certificates list was completely empty Moreover I've seen following your link that it seems necessary having two files X1 and X2. Some Idea? – Bento Oct 30 '21 at 19:51

0 Answers0