23 December 2020 Update: Let’s Encrypt decided this wasn’t a smart idea, and extended the expiration date until 2024. So, for this immediate scenario, these instructions are no longer necessary. However, I will leave them up for people who are interested in the details of how to add a certificate authority to Android.
On January 11, 2021, Let’s Encrypt will begin issuing certificates that are not cross signed by any other CA by default. This is a good move, but it does cause some consternation for older version of Android.
Some software that hasn’t been updated since 2016 (approximately when our root was accepted to many root programs) still doesn’t trust our root certificate, ISRG Root X1. Most notably, this includes versions of Android prior to 7.1.1. That means those older versions of Android will no longer trust certificates issued by Let’s Encrypt.
Don’t even get me started about how hard it is to get modern versions of Android onto older hardware that is otherwise still perfectly good.
In the article, Let’s Encrypt mentions a number of mitigations for this problem, including the following:
If you’re on an older version of Android, we recommend you install Firefox Mobile, which supports Android 5.0 and above as of the time of writing.
That works because Firefox ships their own list of trusted certificate authorities inside their app. Curiously, they failed to mention that users can also just import the ISRG Root X1 certificate into the trusted store of their OS, which will fix the problem for all browsers, including Privacy Browser. (Note, as pointed out in the comments below, this only works for all apps by default on Android < 7.0. For Android 7.0 and 7.1, this only works for apps that chose to trust user certificates.)
The following screenshots are from my Nexus 4, running Android 5.1.1 (API 21), but the process should be reasonably similar on other devices.
Download the ISRG Root X1 certificate to your device from Let’s Encrypt. You can do this from Privacy Browser by loading the link and then tapping Options > Page > Save > Save URL.
Android expects the file to end with a .pem
. The default file name will be isrgrootx1.pem.txt
, so you will need to change it to be something like isrgrootx1.pem
.
Navigate to the Android OS Settings > Security > Install Certificates From Storage.
If not already enabled, tap Options > Show Internal Storage.
You now have an entry for Internal Storage in the navigation menu on the left. Why this isn’t enabled by default I will never understand. Also, why you can’t just use the Downloads folder entry that is also on the left I will also never understand. But for some reason, on certain versions of Android you cannot import it from there even though the file is listed. You must get it from Internal Storage. (Actually, I do know why, and it has to do with the Downloads entry not providing the real file name in the returned data, but rather a random serial number that is translated into the file name in a convoluted process. Whereas the Internal Storage interface just returns the true file name.)
After choosing Internal Storage, select the Download folder.
Name the certificate. The name is just for you to recognize, so it doesn’t matter what it is. (Also, Android, at least version 5.1.1, appears to completely ignore the name you chose and never displays it anywhere ever again.) Make sure the credential use is set to VPN and Apps, which should be selected as the default.
Android warns you that installing a compromised certificate authority is bad news. This message will pop up every time the device is rebooted. Luckily, Let’s Encrypt is fairly trustworthy.
Note that when you do this Android will force you to set a PIN, pattern, or password to unlock your device.
Let’s Encrypt has a test site you can use to check if the certificate is correctly installed.
5 responses to “Let’s Encrypt ISRG Root X1 and Privacy Browser”
I’ve just tested this on my Android 5.1.1 phone and it worked great. After/before you installed ISRG Root X1 certificate you can check validity here:
https://valid-isrgrootx1.letsencrypt.org/
One little thing we should mention, Android 7.0 won’t accept user/admin added CAs as trusted:
https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html
Technically this won’t affect most of us because it is bonded to API level 24. If you use an app that works on older android versions (lower API level than 24) it won’t matter if you’re on Android 7.0 the app will work.
Thanks. I didn’t know about the user CA trust change with API 24. I have added a note to the post above as well as your link to the ISRG Root X1 test page.
I have also changed Privacy Browser to trust user added CAs on all APIs, which will be part of the upcoming 3.6 release. https://redmine.stoutner.com/issues/636
[…] that the user is the ultimate authority on their own device. It is also important for trusting the Let’s Encrypt root certificate on older […]
Great tutorial, many thanks. However one thing was confused me which is, as you know ISRG ROOT X1 is supposed to be valid until year 2035, but before installing, when I visit test page “https://valid-isrgrootx1.letsencrypt.org” I see that the certificate (named R3) is valid until September 2025, and not 2035. Why is that and am is missing something wrong?
Best regards,
Onur
R3 is the intermediate certificate issues by X1. You can see detailed information about it under the Certification Paths sections of https://www.ssllabs.com/ssltest/analyze.html?d=valid-isrgrootx1.letsencrypt.org.