Let's Encrypt is switching to a new root-certificate - too soon for Android


Update: Transition postponed to July 8, 2020
Due to the insufficient root certificate propagation on Android devoices (read more below), Let's Encrypt has postponed the transition for a year.

On April 15, Let's Encrypt announced that they will transition to their ISRG root certificate starting at July 8, 2019.
I've found out about this reading this article which carefully explains the transition, the reasoning and some background details about it.

Why the switch?

Let's Encrypt has used up till now the root-certificate of IdenTrust, which signed their intermediate certificate which up till now Let's Encrypt uses to sign their certificates.
That's not unusual for starting CAs, as the process of getting a root-certificate into all possible browsers, operating systems and so on is a long, process which takes some years to be done. (Read more about this here)

Why now?

At the end of July 2018, Let's Encrypt stated that "Our root is now trusted by all major root programs, including Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry."
Now, after a year they decided that it was enough time for the systems to be updated ⁄ patched in order to get the root-certificate on all possible devices.

What's the problem on Android?

Android is known for supporting legacy clients for a long client, missing OS updates (especially pre-O devices before project treble), which means that android always tends to support legacy clients and not-updated clients.

The currently accepted minSdk in the android developer community is 21 (Android 5.0), but we also still have some apps at the company I'm working at (which we are actively supporting ⁄ developing), which are targeted for SDK 17 (Android 4.2).

So the problem is, that the ISRG root certificate has been added as a system trusted certificate in Android 7.1.1 (see this forum post for a list of sources to supported ⁄ unsupported operating systems ⁄ devices), which means that the ISRG root certificate is natively only supported on devices running Android 7.1.1 or later.

So what can I do for pre-Android-7-devices?

There are basically two things that can be done here:
  • Add the ISRG root certificate as a trusted certificate within your app
    This can be done either using Androids Network security configuration  or add certificates with a custom trustmanager, e.g. with OkHttp.
  • Continue to serve certificates in your server with the old intermediate certificate
    This is well described in this article, however this only defers the problem to March 2021 (or with another trick September 2021) the latest.
    Looking at the timeline of android versions and the when which android versions have been considered obsolete (and⁄or are not supported by app-developers anymore), it is very unlikely, that in September 2021 the minimum supported SDK version will be Android 7.1.1, which means that at least then another solution would have to be found.