Effect of Let's Encrypt root certificate authority changes on ODK ecosystem?

Thanks for bringing this up, @jpringle. We are hoping that the disruption will be minimal. To summarize:

  • ISRG Root X1 is a Let's Encrypt's root and is recognized by Android 7.1.1+
  • DST Root X3 is a IdenTrust root and is recognized more broadly
  • Jan 2021: by default, certs issued by Let's Encrypt will be rooted by ISRG Root X1 but can still use DST Root X3 with a configuration change when requesting a certificate
  • Sept 2021: DST Root X3 will expire so all certs issued by Let's Encrypt will be rooted by ISRG Root X1

Our current plan is to explicitly specify trust for ISRG Root X1 in Collect starting with v1.29. This will allow devices running Android 6+ to connect to any server that uses any certificate issued by Let's Encrypt either before or after the Jan 2021 change. Devices will need to upgrade Collect to benefit from this change. We expect v1.29 to go out early to mid December.

This leaves a question about what to do for Android 5.0 and 5.1. These versions represent about 5% of Collect's active users. We have no way of knowing how many of those currently connect to a server that uses a certificate issued by Let's Encrypt but it's probably not all of them.

Here are some possible answers:

  • Do nothing. It's a relatively small slice of the user base. We can document how users can manually add ISRG Root X1 to Android and that will be recognized by Collect (on Android 5.0 and 5.1)
  • Provide more helpful documentation. Even if it's a small slice of the user base, it's still up to ~45k people. Detect the specific certificate failure and provide a link to explicit guidance for adding the certificate as described above.
  • Programmatically register support for ISRG Root X1 with our HTTP library (okhttp). I don't know exactly what this looks like but it should be possible.

If you use Android 5.0 or 5.1 devices and certificates issued by Let's Encrypt, it would be helpful to hear from you.

As always, any other ideas on how to address this are welcome.