Detailed website statistics indicate that there are still people using older versions of Android (below 7.1). These people may experience problems with the operation of some websites and applications. In this post I will present the causes and how to deal with inconveniences before the DSJ2.pl website is also no longer available to some people.
What's the matter?
Let's Encrypt is an organization dedicated to providing free and easily accessible TLS (SSL) certificates for websites. They enable connection to the server via the HTTPS protocol, which has a number of benefits, mainly related to security. Currently, 363 million websites use LE - including DSJ2.pl.
As LE is a relatively young formation (2015/2016), their root certificate was not yet installed by default on devices/systems developed in those days. To circumvent this problem, the organization decided to issue cross-signed certificates for websites, containing additionally the DST Root CA X3 certificate, which was compatible with old devices. Interesting fact: this root certificate expired on systems in 2021, but old Androids were ignoring it and everything still worked fine on them. By the time...
In July 2023, Let's Encrypt announced that it would stop issuing cross-signed certificates and thus stop support older versions of Android within a year. The change takes place in stages:
- February 8, 2024 โ old type certificates are no longer issued by default, but they can still be generated manually,
- June 6, 2024 - the possibility of obtaining such certificates will be completely disabled,
- September 30, 2024 - the maximum date when all issued cross-signed certificates will expire.
As a result, all sites that use Let's Encrypt, as well as app features that require connection to such sites (e.g. DSJ2 Mobile replay sharing), will no longer work on Android 7.0 and earlier (most of them have already stopped to work).
What to do?
If for some reason you don't want/cannot simply change your phone to a newer one, you have a few other options:
- updating the system manually - time-consuming and quite complicated, you can find guides on the Internet for a given model; this involves clearing data and the need to restore from a backup and may not always be fully successful,
- installing the LE root certificate on the device โ you can use this guide; unfortunately, this option doesn't always work correctly, it probably requires root access (unlocking the phone = wiping data),
- using the Firefox Mobile browser, which has its own certificate store, thanks to which it can easily trust LE websites; unfortunately, this doesn't affect the operation of websites in other applications.
There are also options on the server/application owner's side to restore operation for older Androids:
- manually generating the old type of certificate โ if certbot version 1.12+ is used on the server, you can use the command:
sudo certbot certonly --force-renew -d domainname.com --preferred-chain "DST Root CA X3"
this possibility is only available until June 6, 2024; in this way, full operation for DSJ2.pl has been restored - on June 5 we will generate the last certificate, which will extend availability of our website for old Androids by another 3 months (maximum validity period of the LE certificate), - setting the application to use its own certificate store (not only the system one), just like Firefox,
- switching to a commercial certificate provider that still supports old devices.
Sources:
https://letsencrypt.org/2023/07/10/cross-sign-expiration
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
https://community.letsencrypt.org/t/questions-regarding-shortening-the-lets-encrypt-chain-of-trust/201581
Phrases that may help you find this article in Google: android 4/5/6/7, websites not working, problem with pages, security certificate error.