Add ISRG Root X1 ssl cert

Question

Add ISRG Root X1 ssl cert

europrimus opened this issue 3 years ago · 4 comments

Hello, I explain my situation.
My ulogger server use ssl with Let's Encrypt
I have an old phone (android 5.1.1) and the new Let's Encrypt root cert is not present in my device.

The DST Root CA X3 Expiration (September 2021) caused "Handshake failure" for me.

In android app, I changed the url of my server from https to http to continue to use synchronization.

Answer 1 · 2021-10-14T11:14:43.000Z

A bad idea could be to allow bad cert

            SSLSession session = sslSocket.getSession();
            if (!session.isValid() && !allowBadCert) {
                if (Logger.DEBUG) { Log.d(TAG, "[Handshake failure]"); }
                throw new SSLHandshakeException("Handshake failure");
            }

Answer 2 · 2021-10-14T11:23:15.000Z

A better way is to add the new ISRG Root X1 to the trusted cert
like in that stackoverflow question

Answer 3 · 2021-10-14T14:52:21.000Z

I don't want to add any trusted certificates to the application. It should be done at the OS level.
In the times before Let's Encrypt I used self signed certificates and I installed my own CA certificate on the Android devices. You may try to go this way. Should be still possible. Here I found some info how to do it on Android 5.

Answer 4 · 2021-10-15T20:08:40.000Z

Thanks for your reply.
I added the cert to my phone by following support.google.com instruction.
By this way the cert is available for all my app.