We asked all of our various country teams what Android versions are in use, and it turns out that one country is using Android 6, and their data collection is starting now and scheduled to last until the end of January or possibly February 2021. So too late to update Collect or purchase new phones. But there is a solution!
We are modifying the behavior of certbot in order to keep cross signing with DST Root CA X3 until at least July 2021. The instructions are at https://community.letsencrypt.org/t/certbot-users-preparing-for-the-isrg-root-transition-january-11-2021/138059 (I'll refer to this as the "Let's Encrypt notice" later) and I will relay what I have learned here.
First: we are using Digital Ocean and ODK Aggregate (I promise we will upgrade to Central for the next wave of data collection!). So we followed https://docs.getodk.org/aggregate-digital-ocean/ exactly. Including the cloud config script. The certbot commands from the cloud config script from when we installed the server way back:
add-apt-repository -y ppa:certbot/certbot
apt-get -y update
apt-get -y install python-certbot-nginx
(crontab -l 2>/dev/null; echo "0 0 1 * * /usr/bin/certbot renew > /var/log/letsencrypt/letsencrypt.log") | crontab -
When I ssh'd into the machine and ran certbot --version I got in response: certbot 0.31.0 and according to the Let's Encrypt notice, I need v1.6.0 or newer.
I tried the default for upgrading installed software: apt-get update && apt-get upgrade but that did not upgrade certbot, so I followed the instructions (linked in the Let's Encrypt notice) at https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx (the Digital Ocean droplet is running Ubuntu 18.04 Bionic). This method installs certbot as a snap using the snap package repository. My Ubuntu came with snap already installed!
First, uninstall certbot:
apt-get remove certbot
That also removed python-certbot-nginx and python3-certbot-nginx, so I made a note to check this at the end of installation.
Second, install certbot with snap
snap install --classic certbot
Third, make a link so that we can run certbot from the old location
ln -s /snap/bin/certbot /usr/bin/certbot
Finally, check the version and do a dry run of a renewal:
certbot --version # Result: certbot 1.9.0
certbot renew --dry-run
And from the output of the dry run:
...
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
...
it appears that this new certbot knows about the connection to nginx.
Now that certbot is updated, it is able to do the desired certificate continuing from January 2021. The last step is to add a line to /etc/letsencrypt/cli.ini so that we activate that functionality. So I added
preferred-chain = DST Root CA X3
to that file.
I hope this works for me! I'll report back if anything unexpected comes up.