Letsencrypt certificates may stop working on older devices after 11/1/21

Full story here:

A heads-up that Android devices prior to 7.1.1 may stop working on 1 September 2021 if your self-hosted Central deployment uses letsencrypt certificates.

Thanks Ed. We've just released an update to the tooling to handle this: https://dimagi.github.io/commcare-cloud/changelog/0039-update-letsencrypt-to-alternate-chain.html

I expect there will be a normal announcement of the change soon.

1 Like

Hi Simon,

I think that's just punting the problem to July 2021 when they stop supporting the identitrust chain. I'm recommending that my team switch over to other certificate authorities if they have deployments that are known to be on older devices. In some instances they require an additional fee, others are offered for free by the hosting company.

Craig

Hi Craig,

Thanks for mentioning that. You're right that the commcare-cloud change won't be a permanent solution. We are also planning on using the interstitial time to make an update to the CommCare Mobile App which will add the letsencrypt root to the accepted security chain for future requests from the mobile app, there's an example in the OkHttp community of that working which we'll be building on. That should clear up any HTTPS limitations longer term but will need to do a bit more exploration to confirm the timeline on that solution.

As a quick reminder for anyone finding this thread who isn't hosting their own server: This won't affect any devices (regardless of age) using the public clouds (like www.commcarehq.org), since our HTTPS Certs are terminated by a different CA which should remain compatible with all versions of Android.

-Clayton

1 Like