[Fradow]

Tested on a few tablets my company sell / used to sell :

- FAIL Galaxy Tab 4 7" (SM-T230) Android 4.4.2

- FAIL Galaxy Tab A 7" 2016 (SM-T280) Android 5.1.1

- SUCCESS Galaxy Tab A 9.7" (SM-T550) Android 7.1.1

- SUCCESS Galaxy Tab A 10.1" (SM-T580) Android 8.1.0

I don't have any Android 6 device at hand, but this is consistent with @regecks statement "On Android, the root was first added in Nougat" (which is Android 7).

This is going to be problematic, as there are still devices currently for sale on Android 5/6 (such as the aformentionned Galaxy Tab A 7", which doesn't have a replacement on some markets).

[randombit]

Tried the test site on a Nexus 7 running Android 6.0.1, Firefox was ok (seems it ships with its own list of roots), but latest Chrome rejected it.

My wife runs a blog which generates substantial income and uses certs from Let's Encrypt. It's a non-tech blog with primarily US readership. Checking stats for this month, 7% of all visitors were using Android 4/5/6 (20% of all Android users). The percentage of users on old Android running Firefox was basically nil. Losing all these users would be very costly.

Hopefully certbot will be modified so it is possible to pick the current intermediate during automatic renewal. If I have to do a manual operation to switch intermediates each time the cert renews (currently done by cronjob) then it is probably safer (operationally speaking) to just buy a cert.

I don't really understand why Let's Encrypt is making this change now. Sure, the current root is expiring "soon", but not until September 2021. Switching roots could be safely pushed off to early 2021 at which point hopefully most of these older Androids would be cycled out.

[nacs]

> a blog which generates substantial income

An SSL cert can be purchased for as low as $6 a year; if this is important to you, try buying one of those.

[randombit]

Isn't that what I said?

Edit: fortunately it looks like certbot plans to support using the old intermediate https://github.com/certbot/certbot/issues/6971 so this should not prove necessary.

[jeroenhd]

As a tip to you/your company: unlike Chrome and most Chrome-based browsers, Firefox for Android has a separate root certificate store and your old devices will still be able to access Letsencrypt websites if you switch browsers.

[Fradow]

Thank you for the tip.

The issue is not so much about the browser, as I'm an app editor (which happens to also sell tablets with our apps preinstalled to reduce friction). The issue is that apps that rely on the device certificate store aren't going to be able to use https with a server using a Let's Encrypt certificate issued with the new root CA.

Shipping a root certificate store would be (for my scale) a bad practice. I made the mistake of pinning a SSL key in the past, never again (you run into issues when your clients never even connect the device to the internet in 3+ years, and then your updater doesn't work anymore).

Fortunately for me, I don't currently use Let's Encrypt for my API servers, and that news was the last straw to make the boss decide we will stop selling Android 5 devices.

Unfortunately, this means our users who recently bought those devices will have some third-party apps might be broken starting 9th of July, and some sites will give a scary warning.

[kalleboo]

- FAIL on a Kindle Fire 7 (which is still for sale new) in Chrome running the latest update from November 2018 [based on Android 5.1.1].

[LeonM]

> This is going to be problematic, as there are still devices currently for sale on Android 5/6

If I recall correctly, Android >=5 has pretty decent support for modern crypto (such as TLS V1.2, ECC). So, Android 5/6 could still just work, if the vendor is bothered to update the CA root store.

[gmueckl]

Vendor updates for cheap Android phones? Dream on!

[mises]

This will indeed be a problem. Many old devices still run fine; outside of a password submission page, is https really worth the hundreds of dollars it would cost to replace my devices? I really don't know why people feel the need to get latest Android; outside of security, it's just gimmicks.