Latest Udate 2020-12-21

Let's Encrypt has delayed the new root CA certificate for 3 years:

We’re happy to announce that we have developed a way for older Android
devices to retain their ability to visit sites that use Let’s Encrypt
certificates after our cross-signed intermediates expire. We are no
longer planning any changes in January that may cause compatibility
issues for Let’s Encrypt subscribers.

A recurring theme in our posts about our upcoming chain switch has
been our concern over the effects on users of Android operating
systems prior to 7.1.1, whose devices don’t trust our ISRG Root X1.
Thanks to some innovative thinking from our community and our
wonderful partners at IdenTrust, we now have a solution that allows us
to maintain wide compatibility. Critical to our mission as a nonprofit
is to help create a more secure and privacy-respecting Web for as many
people as possible. This work brings us closer to that goal.

IdenTrust has agreed to issue a 3-year cross-sign for our ISRG Root X1
from their DST Root CA X3. The new cross-sign will be somewhat novel
because it extends beyond the expiration of DST Root CA X3. This
solution works because Android intentionally does not enforce the
expiration dates of certificates used as trust anchors. ISRG and
IdenTrust reached out to our auditors and root programs to review this
plan and ensure there weren’t any compliance concerns.

As such, we will be able to provide subscribers with a chain which
contains both ISRG Root X1 and DST Root CA X3, ensuring uninterrupted
service to all users and avoiding the potential breakage we have been
concerned about.

We will not be performing our previously-planned chain switch on
January 11th, 2021. Instead, we will be switching to provide this new
chain by default in late January or early February. The transition
should have no impact on Let’s Encrypt subscribers, much like our
switch to our R3 intermediate earlier this month.

Extending Android Device Compatibility for Let's Encrypt Certificates

Installing new Let's Encrypt root CA certificates

If your device is running Android 5 and before or is rooted you can install the missing root CA certificates yourself. As far as I know the following two certificates have to be added:

• ISRG Root X1


• ISRG Root X2

On Android 5 and before you can simply install them as "user certificate". Note that this automatically forces you to use a lock screen with pattern/PIN or password lock.

Older rooted devices

On older Android devices that are rooted you can add the new Let's encrypt root CA certificates to the system certificate store /system/etc/security/cacerts.bks.

To do so download this file to a computer and use KeyStore Explorer to add the Let's encrypt root CA certificate files and save it. Then write back the cacerts.bks to your Android device.

Newer rooted devices

On newer, rooted devices the easiest way is if the device is rooted via Magisk, then you can install the two certificates as user certificates and then move them to the system store using the Magisk Module Move Certificates.

If Magisk and the mentioned module is not available you can still install the certificates as user certificates and move them manually to the system store.

The installation process is very similar as shown in the installation tutorial for the mitmproxy root-ca certificate.

The followings section shows the certificate hash values for the Let's encrypt certificates:

openssl x509 -inform PEM -subject_hash_old -in isrgrootx1.pem | head -1

6187b673



openssl x509 -inform PEM -subject_hash_old -in isrg-root-x2.pem | head -1

8794b4e3

Also make sure that the copied certificate file has the correct permissions:

chmod 644 /system/etc/security/cacerts/6187b673.0

chmod 644 /system/etc/security/cacerts/8794b4e3.0

Once you have installed the certificates you should be able to browse (without a security warning) to the following location: https://valid-isrgrootx1.letsencrypt.org/