Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address issue that letsencrypt certs will no longer be working on pre Android 7.1 devices #1277

Closed
simonpoole opened this issue Nov 7, 2020 · 9 comments · Fixed by #2577
Closed

Address issue that letsencrypt certs will no longer be working on pre Android 7.1 devices #1277

simonpoole opened this issue Nov 7, 2020 · 9 comments · Fixed by #2577
Labels
Medium Task
Projects
Planning

Comments

@simonpoole
Copy link
Collaborator

simonpoole commented Nov 7, 2020
edited
Loading

See https://letsencrypt.org/2020/11/06/own-two-feet.html

This will effect access to the OSM API (except if they spend some funds on getting certs from somewhere else) and, less important, to the crash reporting and other secondary sites (mapsplit site for example).

Potentially we can include the current letsencrypt cert with the app, needs to be investigated.

This will effect OSM API access and likely a large number of imagery sources.
@simonpoole simonpoole changed the title Address letsencrypt certs no longer working on pre 7.1 devices Address issue that letsencrypt certs will no longer working on pre 7.1 devices Nov 7, 2020
@simonpoole simonpoole changed the title Address issue that letsencrypt certs will no longer working on pre 7.1 devices Address issue that letsencrypt certs will no longer working on pre Android 7.1 devices Nov 7, 2020
@simonpoole simonpoole changed the title Address issue that letsencrypt certs will no longer working on pre Android 7.1 devices Address issue that letsencrypt certs will no longer be working on pre Android 7.1 devices Nov 7, 2020
@simonpoole simonpoole added this to Todo in Planning via automation Nov 10, 2020
@simonpoole simonpoole added this to the 15.2 milestone Nov 10, 2020
@simonpoole simonpoole moved this from Todo to Todo 15.2 in Planning Nov 10, 2020
@simonpoole
Copy link
Collaborator Author

https://community.letsencrypt.org/t/mobile-client-workarounds-for-isrg-issue/137807/16

https://stackoverflow.com/questions/64844311/certpathvalidatorexception-connecting-to-a-lets-encrypt-host-on-android-m-or-ea

@westnordost
Copy link

Out of interest because I guess I'll have to implement a workaround as well, how many Vespucci users on Google Play use a version older than 7.1.1, absolute and in percent?

For StreetComplete it's currently 280 users or 3.5%. According to my extrapolation, it will be around 2% or 170 users in September 2021. In these numbers, F-Droid users are unaccounted for. They make up for 5-15% of users. In any case, a number that shouldn't fall under the table.

@simonpoole
Copy link
Collaborator Author

I'll have a look later, but the primary short term concern for us are imagery sources, the OSM API won't be an issue before September.

@westnordost
Copy link

Oh, then I didn't understand that article. Why will imagery sources be a problem before September?

@simonpoole
Copy link
Collaborator Author

I'll have a look later, but the primary short term concern for us are imagery sources, the OSM API won't be an issue before September.

It is rather unlikely that the imagery sources are aware of the issue and will explictly ask for the certificate chain with the crossigned cert for renewals (which is what OSM ops is doing). In September that won't help anymore, but it at least gives some wiggle room till then.

@simonpoole
Copy link
Collaborator Author

Numbers (per today)

7.0 - ...: 696 = 12%
7.1 - ...: 866 = 15%

It isn't quite clear what 7.1 contains so that is probably just upper limit and might be a bit lower. We don't have any numbers for f-droid, but from bug reports etc. it is seems to be quite popular, so I would suspect that we have at least 1'000 users that are potentially effected.

@simonpoole
Copy link
Collaborator Author

See https://community.letsencrypt.org/t/transition-to-isrgs-root-delayed-until-jan-11-2021/125516/2 for some information on the --preferred-chain argument to certbot.

@westnordost
Copy link

News today: https://letsencrypt.org/2020/12/21/extending-android-compatibility.html

@simonpoole simonpoole added Medium and removed Major labels Dec 24, 2020
@simonpoole simonpoole removed this from the 15.2 milestone Dec 24, 2020
@simonpoole simonpoole moved this from Todo 15.2 to Todo in Planning Dec 24, 2020
@simonpoole simonpoole mentioned this issue Jun 11, 2024
Closed
@simonpoole
Copy link
Collaborator Author

D-day has arrived #2556

@simonpoole simonpoole mentioned this issue Jun 12, 2024
Merged
simonpoole added a commit that referenced this issue Jun 12, 2024
@simonpoole
Add the ISRG X1 certificate to the trust store used by OkHttp
ae5e590 
This allows connections to sites using letsencrypt certificates to
continue to work for now on pre Android 7.1 devices. In particular this
affects the OSM API.

It is likely that this fix increases memory usage by multiple MBs.

Note: this does not solve the issue for things that do not use OkHttp,
for example ACRA.

Resolves #2556

Resolves #1277
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Medium Task
Projects
Vespucci Planning
Status: Done
Planning
  
Todo
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add the ISRG X1 certificate to the trust store used by OkHttp MarcusWolschon/osmeditor4android
2 participants
@simonpoole @westnordost