Let’s Encrypt has announced that a root certificate its service uses, that was provided by IdenTrust, is set to expire on September 1, 2021. Let’s Encrypt is ready for the expiration with its own root certificate called ISRG Root X1 and it’s supported on many devices, but there is a problem.
Unfortunately, due to Android’s dire update situation, millions of devices running Android versions below 7.1.1 will not be able to connect to websites using Let’s Encrypt certificates. Not only will this affect websites you navigate to in your web browser but apps that connect to a website to pull data won’t be able to connect either.
To help mitigate the problem, Let’s Encrypt is going to make it possible to serve an alternate certificate chain that leads to the old root certificate to boost compatibility. This will be a temporary solution for site admins who, in the longer term, will be able to display a banner asking older Android users to switch to Firefox Mobile (which updates certificates independent of Android), stop supporting older Android versions, drop back to HTTP for older devices, or switch to a Certificate Authority (CA) that’s installed on older devices.
Let’s Encrypt recommends that those on older Android devices should install Firefox Mobile. As mentioned earlier, Firefox comes with its own list of trusted root certificates; this will allow sites to continue working after the old root certificate expires next year.