Android Question Let's Encrypt unacceptable certificate

[hatzisn]

I tried in Android 11 to contact my site which is SSL protected with Let's Encrypt certificate and I get this answer:

ResponseError. Reason: javax.net.ssl.SSLHandshakeException: Unacceptable certificate: CN=R3, O=Let's Encrypt, C=US, Response:

What is wrong with it? Chrome in laptop does see it without any problem but Chrome in phone does not...

 

[TILogistic]

??
Chrome in phone Update.

or.

Notice Spanish sorry.

???

30 de septiembre: el día que Smart TV y otros dispositivos se quedarán sin Internet

El 30 de septiembre caducará el certificado usado por millones de dispositivos. Si no se actualizan, se quedarán sin acceder a Internet.

www.adslzone.net

 

[hatzisn]

Hi, did I scare you with the private message? It is crt.sh and not cry.sh but t & y are side by side. It is the certificate registry search by comodo (now named sectigo).

 

[hatzisn]

I have fixed it with this solution:

[B4X] OkHttpUtils2 / iHttpUtils2 and accept all option

Note that OkHttpUtils2, jOkHttpUtils2 and iHttpUtils2 are actually the exact same b4x library. jOkHttpUtils2_NONUI was required as a special version for non-ui B4J apps. It is no longer required and shouldn't be used. Starting from v2.90 it is very simple to initialize the internal http client...

www.b4x.com

 

[magicmars]

Hi,

All my published apps that deal with API requests with okhttpUtils (https) , were down since yesterday because of the R3 lets encrypt certificate expiration (yesterday, expire IdentTrust DST Root CA X3).

I need to add HU2_ACCEPTALL in the next update of my apps, but I don't like it: that could cause man-in-the-middle attack if certificate is not checked.

As a solution, i bought a Thawte 1 year wildcard certificate (70$).
I'm ok for one year now .... but that cost me an arm ....

 

[magicmars]

@oparra I remind me that on a previous tread you told me that you use R3 with https acces for rest API.
Do your apps working today ?

 

[hatzisn]

Let's Encrypt has addressed the issue already as it can be seen here:

Let's Encrypt's Root Certificate is expiring!

On 30th September 2021, the root certificate that Let's Encrypt are currently using, the IdentTrust DST Root CA X3 certificate, will expire. You may or may not need to do anything about this Root CA expiring, but I'm betting a few things will probably break on that day so here's

scotthelme.co.uk

The situation is getting fixed gradually. First the Chrome browser in my phone accepted the certificate of my site and after I tried it with the okhttputils and it worked without the HU2_ACCEPTALL conditional symbol. I suppose at least for the latest devices Samsung dealt with this. I do not know though if this change will be diffused to all the brands soon enough and to older devices as well so I do not know what to do.

 

[AHilberink]

Can someone explain why this is happening? I understood that old handshakes are no longer supported by Let's Encrypt.

But why is httputils2service v2.96 (latest) broken on these certificates?
What can be done at user-side to solve this or is the only solution to buy a commercial certificate?

 

[hatzisn]

Can someone explain why this is happening? I understood that old handshakes are no longer supported by Let's Encrypt.

But why is httputils2service v2.96 (latest) broken on these certificates?
What can be done at user-side to solve this or is the only solution to buy a commercial certificate?

1) Read the link in post #7
2) If you have a site just renew the certificate

 

[AHilberink]

2) If you have a site just renew the certificate

We automaticaly renew every 3 months, but I are right: Renewing did solve it. The root was already valid till 2035. Strange ....
Thanks.