Let's Encrypt (a community-controlled non-profit certification authority that provides free certificates to all) announced the next transition to generate signatures using only your root certificate, without using a certificate cross-signed by the IdenTrust certificate authority.
The Let's Encrypt root certificate It is compatible with all modern browsers, but is only recognized as of Android 7.1.1, released in late 2016.
The problem is that, according to the available statistics, only 66,2% of all Android devices use Android 7.1 and newer versions.
Therefore, 33,8% of Android devices in use have no data in the Let's Encrypt root certificate and once the cross-signed certificate expires, an error will be displayed when trying to open sites using Let's Encrypt certificates on those devices. .
The percentage of Android users who do not accept the Let's Encrypt root certificate is estimated to be between 1 and 5% of the audience for large sites.
Let's Encrypt does not intend to conclude a new cross-signature agreement, as this imposes a great additional responsibility on the parties to the agreement, deprives them of independence and ties their hands in complying with all procedures and rules of another certification authority.
Besides, andl Problem with updating old Android devices It will probably not go away and the cross agreement will have to be renewed over and over again.
As of January 11, 2021, changes will be made to the Let's Encrypt API and by default, ACME customers will receive ISRG Root X1 certificates without cross signing.
Compatibility-conscious users will have the opportunity to request an alternative certificate, authenticated using the old cross-validation scheme, but such certificates will continue to be limited by the lifetime of the cross-signed root certificate (September 1, 2021).
As a solution, Older Android device users are advised to switch to Firefox browser, which has its own updated root certificate store.
But Firefox does not support Android 4.x (about 2% of active Android devices) and can only run on Android 5.0 or newer.
Site owners who are unwilling to accept the loss of compatibility with older Android phones are advised to process requests from older Android devices over HTTP or to switch to a CA that is compatible with older versions of Android.
Here's how Let's Encrypt announced:
"The DST Root X3 root certificate that we trust to boot will expire on September 1, 2021. Fortunately, we are ready to stand up and rely solely on our own root certificate."
However, this complete change to the Let's Encrypt certificate itself will not be without consequences.
“Some software that hasn't been updated since 2016 (around when our root was accepted by many root programs) still don't trust our root certificate, ISRG Root X1,” explained Jacob Hoffman-Andrews (senior developer at Let's Encrypt and senior technologist at Electronic Frontier Foundation) in a notice.
“This particularly includes versions of Android prior to version 7.1.1. This means that these older versions of Android will no longer trust certificates issued by Let's Encrypt ”.
“For the built-in browser on an Android phone, the list of trusted root certificates comes from the operating system, which is obsolete on these older phones. However, Firefox is currently unique among browsers: it comes with its own list of trusted root certificates. So anyone installing the latest version of Firefox benefits from an up-to-date list of trusted certificate authorities, even if their operating system is out of date, ”according to Hoffman-Andrews.
The notice is also directed at some website owners who receive complaints from users so that they can prepare for the change. Let's Encrypt encourages them to implement an interim solution (switch to the alternate certificate chain) to keep their site up and running while they evaluate what they need for a long-term solution.