Let’s Encrypt will replace the certificate in 2021 which may affect the normal access of Android users to the website

Let’s Encrypt is the world’s most well-known certificate authority. At present, this certificate authority is also the world’s most widely used certificate issuance platform. It provides free certificates that run on tens of millions of websites. Provide encrypted access to websites and users to ensure that data will not be leaked. I have to say that this project is a free project that benefits the entire Internet, and we need to thank Mozilla and the main sponsors of the project.

However, the project will replace the new root certificate in the fall of next year. The replacement of the root certificate is expected to cause a large number of websites to be unable to access normally. The main affected is the Android system. Specifically, the main impact is Android 7.1 and below. These systems are not compatible with the root certificate that Let’s Encrypt is about to replace, resulting in a certificate verification failure, which will affect the normal access of users.

Let's Encrypt introduces Oak

The Let’s Encrypt project has not had its own root certificate since it went online in 2015. It mainly relies on the cross-signature verification provided by IdenTrust. This cross-signature can ensure that the DST Root X3 root certificate can be trusted on all platforms. However, in September 2021, ISRG (that is, the operator of the Let’s Encrypt project) will no longer renew the contract with IdenTrust, and stopping the renewal means that the cross-signature verification will also stop.

ISRG will launch its own root certificate ISRG Root X1. With this root certificate Let’s Encrypt project will be able to provide any reliable certificate. Currently, the new root certificate has been accepted by Windows, Linux, iOS, Android, and Firefox platforms. Therefore, these platforms can still continue to verify after the certificate is replaced. For the site administrator, the new certificate will be replaced when the certificate is automatically renewed, and it will not affect the access of most users.

ISRG did not explain why it will stop cooperating with IdenTrust, but after all, ISRG is now preparing to use its own root certificate, which is also a good development direction. After all, as a top certification authority, it is indeed a problem that it has not its own Root certificate for a long time.

The new certificate prepared by ISRG has been certified for all platforms, but unfortunately due to the fragmentation of the Android platform, a large number of manufacturers will use modified versions of the Android system in their Android devices, and these manufacturers will not promptly respond to Android devices and provide new version support, which leads to a large number of Android devices around the world that are still old versions. These old versions are no longer controlled by Google, and device manufacturers are unwilling to invest time and money to release updates.

These devices running older versions of the Android system also cannot update the built-in root certificate library. Android 7.1 and below will not be compatible with ISRG Root X1 certificates. This means that after the certificate is replaced by Let’s Encrypt next fall, Android 7.1 and below, the device will not be able to access websites encrypted with Let’s Encrypt certificates.

Statistics show that the proportion of devices running Android 7.1 and below is about 33.8%. The ISRG survey found that the traffic ratio of these devices to the website is between 1 and 5%.