Let's Encrypt Root Certificate change affecting Android Users

Last updated: January 6th 2021

Introduction

IMPORTANT: THE INFORMATION IN THIS DOCUMENT IS NO LONGER RELEVANT AS LET'S ENCRYPT HAS FOUND A WAY TO SUPPORT OLDER ANDROID DEVICES AFTER ALL. READ MORE BY CLICKING THIS CARD.

Beginning January 11, 2021 all new Let's Encrypt certificates and renewals of old certificates will by default receive the new Let's Encrypt Root Certificate instead of the old DST Root CA.

This means that users running Android 7.1 or earlier visiting your site, or about 33.8% of all Android users will then start receiving Certificate Errors when visiting your website or application.

Read all about why this change is happening and why there is a problem with Android users and this new Root Certificate here.

All new Certificates issued by Let's Encrypt through Webdock will use the new Root Certificate

By default all new Certificates and all existing certificates being renewed after January 11th (certificates renew every 90 days or so) will receive the new Root Certificate automatically.

You can postpone the inevitable by re-issuing your Certificate

If you feel that your user base has a lot of users on older Android versions, you can postpone this certificate change by re-issuing your certificate with a special command line option. By using this new command line options, Let's Encrypt Certbot on your server will use the old DST Root CA for renewals up until this old Root Certificate expires on September 1st 2021.

After which point Certbot will start renewing certificates with the new Root Certificate automatically.

You need to do this manually with a Shell (SSH) user

Unfortunately, as of now Webdock stacks have installed Certbot using aptitude. Unfortunately the apt version of Certbot is stuck on v. 0.40.0 which is rather old, and the new command line option you need to use was not implemented until v1.06.0

For that reason, in order to pin your Certificates to the old root cert you need to remove the apt version of Certbot and reinstall it using snap. The steps are as follows:

Before you begin, check that you are running an old Certbot version

sudo certbot --version

If the version number is lower than v1.06.0 then you need to continue with the re-installation of Certbot, otherwise skip down to the forceful renewal of your Certificate section below.

Remove the apt version of Certbot

sudo apt remove -y certbot python3-certbot-nginx python3-certbot-apache

Install the snap version of Certbot

sudo snap install --classic certbot

Link in the Certbot binary

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Now forcefully renew your Certificate, using the old Chain as your preferred chain:

sudo certbot renew --force-renew --preferred-chain "DST Root CA X3"

Update your Crontab entry by executing

sudo crontab -e

and tell Certbot renew to use the old Chain by changing:

15 0 * * * /usr/bin/certbot renew

To

15 0 * * * /usr/bin/certbot renew --preferred-chain "DST Root CA X3"

Congratulations - your Certificates will now be issued with the old Root Cert until September 1st 2021 after which point they will use the new Let's Encrypt Root Cert.

We had not realized that the apt version of Certbot was so far behind, so for that reason we will switch all stacks over to the Snap version of Certbot in our next Stack upgrade. This will not help users with existing servers on Webdock however.

We can help you with this ...

If your server is using a Webdock stack, and you do not have the skills to do the above operation and you really want to support all Android users for as long as possible, be in touch with Webdock Support and we can perform the above operation for you.