Thanks for bringing this up, @jpringle. We are hoping that the disruption will be minimal. To summarize:
-
ISRG Root X1is a Let's Encrypt's root and is recognized by Android 7.1.1+ -
DST Root X3is a IdenTrust root and is recognized more broadly - Jan 2021: by default, certs issued by Let's Encrypt will be rooted by
ISRG Root X1but can still useDST Root X3with a configuration change when requesting a certificate - Sept 2021:
DST Root X3will expire so all certs issued by Let's Encrypt will be rooted byISRG Root X1
Our current plan is to explicitly specify trust for ISRG Root X1 in Collect starting with v1.29. This will allow devices running Android 6+ to connect to any server that uses any certificate issued by Let's Encrypt either before or after the Jan 2021 change. Devices will need to upgrade Collect to benefit from this change. We expect v1.29 to go out early to mid December.
This leaves a question about what to do for Android 5.0 and 5.1. These versions represent about 5% of Collect's active users. We have no way of knowing how many of those currently connect to a server that uses a certificate issued by Let's Encrypt but it's probably not all of them.
Here are some possible answers:
- Do nothing. It's a relatively small slice of the user base. We can document how users can manually add
ISRG Root X1to Android and that will be recognized by Collect (on Android 5.0 and 5.1) - Provide more helpful documentation. Even if it's a small slice of the user base, it's still up to ~45k people. Detect the specific certificate failure and provide a link to explicit guidance for adding the certificate as described above.
- Programmatically register support for
ISRG Root X1with our HTTP library (okhttp). I don't know exactly what this looks like but it should be possible.
If you use Android 5.0 or 5.1 devices and certificates issued by Let's Encrypt, it would be helpful to hear from you.
As always, any other ideas on how to address this are welcome.