From Newsgroup: comp.mobile.android

android
Let's Encrypt certificate not valid for Android 7 and older

how to fix it?

--- Synchronet 3.22a-Linux NewsLink 1.2

From Newsgroup: comp.mobile.android

Jakub <jak74@interia.pl> wrote:

android
Let's Encrypt certificate not valid for Android 7 and older

how to fix it?

Upgrade to newer Android version. Certificates are well known for not being supported on older OSes with are out of support which is the point of the certificate.

--- Synchronet 3.22a-Linux NewsLink 1.2

From Newsgroup: comp.mobile.android

with <10t7inf$2u14c$1@dont-email.me> Chris wrote:

Jakub <jak74@interia.pl> wrote:

android Let's Encrypt certificate not valid for Android 7 and older
how to fix it?

Upgrade to newer Android version. Certificates are well known for not
being supported on older OSes with are out of support which is the
point of the certificate.

Not exactly. What happened is the certificate (by other CA; don't ask,
long time ago and it's irrelevant now) that signed the certificate of letsencrypt (eons ago) has timeouted. Letsencrypt managed to do resign
with newer.

Unfortunately, A7 doesn't have it (namely: 'ISRG Root X1'). Adding it
to keyring would last another decade. Unfortunately, to do this A7 must
be rooted. So upgrade is the only option.
--
Torvalds' goal for Linux is very simple: World Domination
Stallman's goal for GNU is even simpler: Freedom
--- Synchronet 3.22a-Linux NewsLink 1.2

From Newsgroup: comp.mobile.android

Jakub, 2026-05-03 15:02:

android
Let's Encrypt certificate not valid for Android 7 and older

how to fix it?

You can't. Get a newer Android version. Android 7 is now about 10 years old.
--
Arno Welzel
https://arnowelzel.de
--- Synchronet 3.22a-Linux NewsLink 1.2

From Newsgroup: comp.mobile.android

In message <slrn10vgm9c.alc.apple.universe@freight.zombinet>
Eric Pozharski <apple.universe@posteo.net> wrote:

with <10t7inf$2u14c$1@dont-email.me> Chris wrote:

Jakub <jak74@interia.pl> wrote:

android Let's Encrypt certificate not valid for Android 7 and older how to fix it?

Upgrade to newer Android version. Certificates are well known for not
being supported on older OSes with are out of support which is the point
of the certificate.

Not exactly. What happened is the certificate (by other CA; don't ask,
long time ago and it's irrelevant now) that signed the certificate of letsencrypt (eons ago) has timeouted. Letsencrypt managed to do resign
with newer.

Unfortunately, A7 doesn't have it (namely: 'ISRG Root X1'). Adding it to keyring would last another decade. Unfortunately, to do this A7 must be rooted. So upgrade is the only option.

This is a naive suggestion, i.e. I don't know for sure whether it will or
will not work; but, when I get certificates, there's a "fullchain.pem"
file that contains my own cert and all the rest of the necessary chain,
I think. May be worth a try.

David
--- Synchronet 3.22a-Linux NewsLink 1.2

From Newsgroup: comp.mobile.android

David Higton <dave@davehigton.me.uk> wrote:

In message <slrn10vgm9c.alc.apple.universe@freight.zombinet>
Eric Pozharski <apple.universe@posteo.net> wrote:

with <10t7inf$2u14c$1@dont-email.me> Chris wrote:

Jakub <jak74@interia.pl> wrote:

android Let's Encrypt certificate not valid for Android 7 and older how to fix it?

Upgrade to newer Android version. Certificates are well known for not being supported on older OSes with are out of support which is the point of the certificate.

Not exactly. What happened is the certificate (by other CA; don't ask, long time ago and it's irrelevant now) that signed the certificate of letsencrypt (eons ago) has timeouted. Letsencrypt managed to do resign with newer.

Unfortunately, A7 doesn't have it (namely: 'ISRG Root X1'). Adding it to keyring would last another decade. Unfortunately, to do this A7 must be rooted. So upgrade is the only option.

This is a naive suggestion, i.e. I don't know for sure whether it will or will not work; but, when I get certificates, there's a "fullchain.pem"
file that contains my own cert and all the rest of the necessary chain,
I think. May be worth a try.

What do you propose to do with such a file?

The problem is that TLS needs the root certificate to be preloaded on the client. Otherwise a site could provide its own 'fullchain' including a self-signed root cert, meaning you wouldn't be having any authority vouch
for it. You wouldn't be able to tell if a MITM had replaced the
fullchain with their own.

To make it work, you need to include the root cert in the cert storage on
the device. I'm not sure how Android does it - one way to do that involves rooting, but I'm not sure if certs can be updated via Google Play updates (perhaps not on older phones?), or whether third party browsers can ship
with certs which they can use in preference to the root certs in Android's storage.

Theo
--- Synchronet 3.22a-Linux NewsLink 1.2

From Newsgroup: comp.mobile.android

Theo wrote:

What do you propose to do with such a file?

Import the new LetsEncrypt root through

Settings / security & Privacy / More Security & Privacy / Encryption & Credentials / Install a Certificate / CA Certificate

or does that disallow root CAs? I thought I'd used it years ago for a
windows enterprise CA
--- Synchronet 3.22a-Linux NewsLink 1.2

From Newsgroup: comp.mobile.android

with <f157c1d35c.DaveMeUK@BeagleBoard-xM> David Higton wrote:

In message <slrn10vgm9c.alc.apple.universe@freight.zombinet> Eric
Pozharski <apple.universe@posteo.net> wrote:

with <10t7inf$2u14c$1@dont-email.me> Chris wrote:

Jakub <jak74@interia.pl> wrote:

android Let's Encrypt certificate not valid for Android 7 and older
how to fix it?

Upgrade to newer Android version. Certificates are well known for
not being supported on older OSes with are out of support which is
the point of the certificate.

*SKIP* [ 4 lines 2 levels deep]

Unfortunately, A7 doesn't have it (namely: 'ISRG Root X1'). Adding
it to keyring would last another decade. Unfortunately, to do this
A7 must be rooted. So upgrade is the only option.

This is a naive suggestion, i.e. I don't know for sure whether it will
or will not work;

I do. It does. For 20month now.

but, when I get certificates, there's a "fullchain.pem" file that
contains my own cert and all the rest of the necessary chain, I think.
May be worth a try.

I've just run 'find / -name fullchain.pem' -- nothing. Are we talking
A7 still?
--
Torvalds' goal for Linux is very simple: World Domination
Stallman's goal for GNU is even simpler: Freedom
--- Synchronet 3.22a-Linux NewsLink 1.2

From Newsgroup: comp.mobile.android

David Higton, 2026-05-04 17:15:

In message <slrn10vgm9c.alc.apple.universe@freight.zombinet>
Eric Pozharski <apple.universe@posteo.net> wrote:

with <10t7inf$2u14c$1@dont-email.me> Chris wrote:

Jakub <jak74@interia.pl> wrote:

android Let's Encrypt certificate not valid for Android 7 and older how >>>> to fix it?

Upgrade to newer Android version. Certificates are well known for not
being supported on older OSes with are out of support which is the point >>> of the certificate.

Not exactly. What happened is the certificate (by other CA; don't ask,
long time ago and it's irrelevant now) that signed the certificate of
letsencrypt (eons ago) has timeouted. Letsencrypt managed to do resign
with newer.

Unfortunately, A7 doesn't have it (namely: 'ISRG Root X1'). Adding it to
keyring would last another decade. Unfortunately, to do this A7 must be
rooted. So upgrade is the only option.

This is a naive suggestion, i.e. I don't know for sure whether it will or will not work; but, when I get certificates, there's a "fullchain.pem"
file that contains my own cert and all the rest of the necessary chain,
I think. May be worth a try.

No. fullchain.pem only contains the full chain including intermediate certificates but *except* the root certificate of the CA. Because the
root certificate *must* be on the device, since this is the way how a
device can check it. If the certificate chain does not derive from a
root certificate, it is not trusted.
--
Arno Welzel
https://arnowelzel.de
--- Synchronet 3.22a-Linux NewsLink 1.2

From Newsgroup: comp.mobile.android

Andy Burns, 2026-05-05 14:57:

Theo wrote:

What do you propose to do with such a file?

Import the new LetsEncrypt root through

Settings / security & Privacy / More Security & Privacy / Encryption & Credentials / Install a Certificate / CA Certificate

or does that disallow root CAs? I thought I'd used it years ago for a windows enterprise CA

The certificates for the root CA of Let's Encrypt can be found here:

<https://letsencrypt.org/certificates/>

However Android does not allow to import system wide root CAs for
security reasons. So this will not help you.
--
Arno Welzel
https://arnowelzel.de
--- Synchronet 3.22a-Linux NewsLink 1.2

From Newsgroup: comp.mobile.android

Arno Welzel wrote:

The certificates for the root CA of Let's Encrypt can be found here:

<https://letsencrypt.org/certificates/>

However Android does not allow to import system wide root CAs for
security reasons. So this will not help you.

I only belatedly looked at this thread (mainly because i know absolutely
nothing about the topic at hand), so this is the first time I'm seeing it.

Doing a search gets me slightly up to speed on the problem set itself.
<https://letsencrypt.org/2020/11/06/own-two-feet>
<https://www.reddit.com/r/Android/comments/jpgv0v/lets_encrypt_wont_support_android_7_and_below_by/>

Android 7 (and older) doesn't trust Let's Encrypt's current root
certificate ("ISRG Root X1").
Those devices only trust the old DST Root X3,
which expired in 2021.

Looking it up, "apparently" there are 3 possible maybe kind'a workarounds
(but, as you can imagine, they each solve a "special case" situation).
a. Firefox fix (e.g., firefox mobile)
Firefox apparently includes the ISRG Root X1 certificate internally,
so it will load Let's Encrypt sites perfectly even if the OS doesn't.
<https://community.home-assistant.io/t/lets-encrypts-ca-is-no-longer-considered-valid-on-android-versions-older-than-7-1-1/717907>

b. Manual install (under certain conditions)
This says you can manually install it under certain circumstances.
<https://voxelmanip.se/2024/09/17/installing-lets-encrypt-certificates-on-old-android/>

These are only search results.
I have not tested any of this.

Worse, I don't even understand the issue well enough to come up
with my own ideas of how to solve it, even as I almost never
fail when I try to solve any problem on a computing device.

So take that only as a dump of what the Internet suggests.
Good luck. Let us know how it works out for you overall.
--
On Usenet, we old men trade facts so everyone can make better choices.
--- Synchronet 3.22a-Linux NewsLink 1.2

From Newsgroup: comp.mobile.android

Maria Sophia, 2026-05-06 19:01:

Arno Welzel wrote:

The certificates for the root CA of Let's Encrypt can be found here:

<https://letsencrypt.org/certificates/>

However Android does not allow to import system wide root CAs for
security reasons. So this will not help you.

[...]

b. Manual install (under certain conditions)
This says you can manually install it under certain circumstances.
<https://voxelmanip.se/2024/09/17/installing-lets-encrypt-certificates-on-old-android/>

Thanks for this pointer - indeed I forgot, that you can install a CA certificate in the security settings. However you will then also get a
constant warning, that your Network activity may be monitored, since
Android does not know, if the added certificate is legit.

The proper way would be a security update for Android itself which also includes updated CA certificates - but since Android 7 is long out of
service, this will not happen.
--
Arno Welzel
https://arnowelzel.de
--- Synchronet 3.22a-Linux NewsLink 1.2

From Newsgroup: comp.mobile.android

with <10thbt5$1q98s$1@dont-email.me> Arno Welzel wrote:

Maria Sophia, 2026-05-06 19:01:

Arno Welzel wrote:

The certificates for the root CA of Let's Encrypt can be found here:
<https://letsencrypt.org/certificates/>
However Android does not allow to import system wide root CAs for
security reasons. So this will not help you.

b. Manual install (under certain conditions) This says you can
manually install it under certain circumstances.
<https://voxelmanip.se/2024/09/17/installing-lets-encrypt-certificates-on-old-android/>

Thanks for this pointer - indeed I forgot, that you can install a CA certificate in the security settings.

Well, how should I put it? I didn't mention
Settings/Security/InstallFromSD way because I'd tried it back then and
it wasn't working -- the certificate is visible (more on that later) but
no amount of pushing/pinching/punching/screaming makes any difference -- nothing happens. So being all righteous and staff I went there again to
be immediately defeated -- now it works.

And this is fine. Do something stupid, that unlocks some functionality
that The Industry deems to be gone, then unroll the stupidity done to
use the functionality. And then wait for time the stupidity will come
back to bite you. And it will. One day.

Now corrections to voxelmanip.se story.

[1] Side note, some screenshots are clearly in The Dark Theme. What
stupidity should I do to unlock this? All I can find is
Settings/Accessibility/ColorInversion. But It's just negative but
The Dark Theme.

[2] Filename *must* be with 'crt' or 'pem' suffix. Demonstrated 'txt'
suffix doesn't do. Potential (more on that later) certificates
will have visible stylized fingerprint icon (granted in grid view);
all other files are dimmed. And that stems from suffix only,
contents isn't examined yet. Basename is indeed irrelevant.

[3] If filename has 'crt'/'pem' suffix but contents is anything but a
certificate upon pushing results in a message 'No certificate to
install'. Funny shit, file size (like being empty) doesn't
invalidates eligibility of potential files.

[4] Indeed, name of certificate isn't sourced from certificate itself.
Thus making it prone to abuse, I guess.

[5] Check for screenPin/screenPassword is made at attempt to install but
open.

[6] So far I don't see SPin/SPassword required to stay -- I've returned
screen lock to Swipe and nothing (on the surface) has changed.

All that is known from observation. I've tried to think a certificate I
would need and nothing came up. So I just grabbed 'ISRG Root X2' and
installed it. Obviously, since I don't need it I can't report if/how it
works. Anyway,

[7] Using, now working, S/S/IFSD installs into 'Users'. In contrary
with The Only True Way (what requires rooting) that installs into
'System'.

However you will then also get a constant warning, that your Network
activity may be monitored, since Android does not know, if the added certificate is legit.

The Scary Warning isn't constant -- I've swiped it off so far it hasn't surfaced again. I'll report back if anything happens.

*CUT* [ 3 lines 1 level deep]
--
Torvalds' goal for Linux is very simple: World Domination
Stallman's goal for GNU is even simpler: Freedom
--- Synchronet 3.22a-Linux NewsLink 1.2