Starting January 21, 2021 and ending September 1, 2021, sites using TLS/SSL certificates issued by ISRG‘s Let’s Encrypt service will be transitioning to a certificate chain based on the ISRG Root X1 certificate instead of IdenTrust‘s DST Root X3. After the DST Root X3 certificate expiry on September 30, 2021, it will no longer be usable to bootstrap ISRG in legacy trusted root certificate stores.
This affects Android prior to 7.1.1.
Developers of Android apps can use Network Security Configuration to enable their apps to be compatible with sites using Let’s Encrypt after January 21, 2021.
android:networkSecurityConfig="@xml/network_security_config"as an attribute of the
- Create a
res/xml/network_security_config.xmlfile with the following contents:
<?xml version="1.0" encoding="utf-8"?>
<certificates src="@raw/isrg_root_x2" />
<certificates src="@raw/isrg_root_x1" />
<certificates src="system" />
- Download ISRG Root X1 and store it in
- Download ISRG Root X2 and store it in
- If your app connects over cleartext in addition to TLS, change
Instead of adding ISRG’s roots to the existing system root store, you may be considering replacing it entirely with an up-to-date root store such as Mozilla Firefox‘s or Google Chrome’s upcoming root store. Use caution — browser root store programs implement additional controls through custom certificate verification code which will not be implementable using a Network Security Configuration.
- Network Security Configuration may only fully work with Android 7.0+. Fortunately for me, Android Nougat 7.0 is the oldest version of Android supported by the apps I’m actively involved in maintaining.
- Let’s Encrypt’s blog post indicates a DST Root X3 expiration date of September 1, 2021 instead of September 30, 2021. This may indicate the last date for which a cross-signature has been arranged, or it may be due to an error.