From 8th July 2020 11th January 2021 8th February 2024, Let’s Encrypt will begin serving certificates which may break compatibility with older Android devices (likely Android versions older than Android 7.1.1).
It’s hard to be specific about which devices will be affected as each device manufacturer controls which root certificates are trusted at firmware build time.
You can test if your device already supports the Let’s Encrypt X1 root CA by visiting https://valid-isrgrootx1.letsencrypt.org in the built in “Browser” app on your device. Do not use Chrome or Firefox for this test.
If you receive a certificate warning then you need to add the X1 root to your device’s list of trusted CAs.
DSCS9X or DSCS95
The DSCS9X and DSCS95 both already support the Let’s Encrypt X1 root and do not need any update.
DSCS9
Android 7.1.2
The DSCS9 running Android 7 already supports the Let’s Encrypt X1 root.
Android 6.0.1
There are three options available to you.
First option is you can upgrade to Xibo for Android 2R207 or later, which can install the Let’s Encrypt X1 root for you on a rooted device. You can trigger that by going to the Settings menu inside Xibo for Android, and selecting “Check that the LetsEncrypt Root CA”. It will install the certificate if it’s needed. You can also trigger this from the CMS by defining a command to be run with installCert
as the command string.
Second option is to upgrade your DSCS9 to Android 7.1.2.
If you prefer to remain on Android 6, and don’t want to upgrade to XfA 2R207 or later, then alternatively you can import the Let’s Encrypt X1 Root CA by following the instructions in the Rooted Devices section below.
You can download Root Certificate Manager via APKPure here: https://apkpure.com/root-certificate-manager-root/net.jolivier.cert.Importer
Non-Rooted Devices
It is possible to add a new CA to a non-rooted device.
See Android SSL Support
You can download a copy of the Let’s Encrypt X1 root CA here:
https://letsencrypt.org/certs/isrgrootx1.pem
Unfortunately that means setting a lock screen on the device which means on reboot the device will need to be unlocked each time. Unfortunately that’s a limitation of the Android OS and cannot be worked around on a device which is not rooted.
Rooted Devices
Using an App
The easiest way to add the Let’s Encrypt root is to use the Root Certificate Manager(ROOT) app from the Google Play store.
It will allow you to import the CA pem file from SD card.
You can download a copy of the Let’s Encrypt X1 root CA here:
https://letsencrypt.org/certs/isrgrootx1.pem
Save that to your device’s storage, and then use Root Certificate Manager to import it.
Using the command line
If you have command line access to your Android devices, then you can install the Let’s Encrypt X1 root on your device that way. This was tested on an Android 6.0.1 DSCS9. It has not been tested on other devices so proceed with caution if you are not using a DSCS9.
Ensure you have a superuser shell. That’s normally achieved by typing su
Download the following file and store it somewhere on the device. I’ll assume /storage/sdcard0/Downloads
but you can substitute the correct path in to the commands.
https://letsencrypt.org/certs/isrgrootx1.pem.txt
Then, run the following
mkdir -p /data/misc/user/0/cacerts-added
mv /storage/sdcard0/Downloads/isrgrootx1.pem.txt /data/misc/user/0/cacerts-added/6187b673.0
chown system.system /data/misc/user/0/cacerts-added/6187b673.0
chmod 644 /data/misc/user/0/cacerts-added/6187b673.0