19 January 2024 Reading time: 2 minutes

Let’s Encrypt reduces its support for Android 7


On February 8, 2024, Let's Encrypt will shorten its certificate trust chain. This will eventually prevent websites with Let's Encrypt SSL from opening on Android 7 devices. Here's what happened, why it matters, and what to do.

Why websites will stop opening

Back in the day, when practically no one had heard of Let's Encrypt, it used a signature from the IdenTrust Certificate Authority. IdenTrust, and thereby sites with Let's Encrypt SSL, were supported by a vast number of devices.

Over time, Let's Encrypt came to be supported by default on many modern devices through its own root certificate.

However, support on older devices was still provided by IdenTrust. However, IdenTrust's root certificate signature expired in 2021. To get around this, Let's Encrypt found a temporary solution – adding a cross-signature. This has allowed certificates to continue to be used on older devices.

The phase-out process

Over the course of 2024, support for the old certificate chain will be phased out:

  • From February 8, 2024, the cross-signed certificate chain will no longer work for automated SSL issuance. However, there will be an option to configure it manually via a configuration file.
  • On June 6, Let's Encrypt will disable the ability to configure the old certificate chain. SSL certificate holders will have a maximum of 90 days left in which it will still work (90 days is the certificate validity period).
  • Support for the old certificate chain will end on September 30, 2024.

Who will be affected by this change

According to the analyst’s data, the new chain will not work on older devices, particularly: Android 7.0 and earlier. Websites on all devices with later versions will most likely continue to work normally because they have a Let's Encrypt root certificate installed.

What to do if you use Let’s Encrypt

For devices running older software, we recommend installing Firefox Mobile. It uses its own trusted certificate storage, so it will trust sites with the updated Let's Encrypt.

If you are a resource administrator and you see in your statistics that you have a lot of users with old versions of software – remind them to install a new browser or update the software. Also, don't forget to check your architecture for legacy elements that may be incompatible with the new Let's Encrypt chain.

Alternatively, the optimal solution is to purchase a commercial certificate from a trusted Certificate Authority. For example, Sectigo certificates will continue to be trusted by both old and new devices. Plus, they're valid for 12 months instead of the three months offered by Let's Encrypt. So if you divide the cost by 12 months of peace of mind and confidence, the price is definitely lower, particularly considering the risk of inaccessibility to you and your customers.