Android Question Let's Encrypt unacceptable certificate

hatzisn

Expert
Licensed User
Longtime User
I tried in Android 11 to contact my site which is SSL protected with Let's Encrypt certificate and I get this answer:

ResponseError. Reason: javax.net.ssl.SSLHandshakeException: Unacceptable certificate: CN=R3, O=Let's Encrypt, C=US, Response:

What is wrong with it? Chrome in laptop does see it without any problem but Chrome in phone does not...
 
Last edited:
Sort by date Sort by votes

hatzisn

Expert
Licensed User
Longtime User
Hi, did I scare you with the private message? It is crt.sh and not cry.sh but t & y are side by side. It is the certificate registry search by comodo (now named sectigo).
 
Upvote 0

hatzisn

Expert
Licensed User
Longtime User
I have fixed it with this solution:

[B4X] OkHttpUtils2 / iHttpUtils2 and accept all option

Note that OkHttpUtils2, jOkHttpUtils2 and iHttpUtils2 are actually the exact same b4x library. jOkHttpUtils2_NONUI was required as a special version for non-ui B4J apps. It is no longer required and shouldn't be used. Starting from v2.90 it is very simple to initialize the internal http client...
www.b4x.com
 
Upvote 0

magicmars

Member
Licensed User
Hi,

All my published apps that deal with API requests with okhttpUtils (https) , were down since yesterday because of the R3 lets encrypt certificate expiration (yesterday, expire IdentTrust DST Root CA X3).

I need to add HU2_ACCEPTALL in the next update of my apps, but I don't like it: that could cause man-in-the-middle attack if certificate is not checked.

As a solution, i bought a Thawte 1 year wildcard certificate (70$).
I'm ok for one year now .... but that cost me an arm ....
 
Upvote 0

magicmars

Member
Licensed User
@oparra I remind me that on a previous tread you told me that you use R3 with https acces for rest API.
Do your apps working today ?
 
Upvote 0

hatzisn

Expert
Licensed User
Longtime User
Let's Encrypt has addressed the issue already as it can be seen here:

Let's Encrypt's Root Certificate is expiring!

On 30th September 2021, the root certificate that Let's Encrypt are currently using, the IdentTrust DST Root CA X3 certificate, will expire. You may or may not need to do anything about this Root CA expiring, but I'm betting a few things will probably break on that day so here's
scotthelme.co.uk

The situation is getting fixed gradually. First the Chrome browser in my phone accepted the certificate of my site and after I tried it with the okhttputils and it worked without the HU2_ACCEPTALL conditional symbol. I suppose at least for the latest devices Samsung dealt with this. I do not know though if this change will be diffused to all the brands soon enough and to older devices as well so I do not know what to do.
 
Upvote 0

AHilberink

Active Member
Licensed User
Longtime User
Can someone explain why this is happening? I understood that old handshakes are no longer supported by Let's Encrypt.

But why is httputils2service v2.96 (latest) broken on these certificates?
What can be done at user-side to solve this or is the only solution to buy a commercial certificate?
 
Upvote 0

hatzisn

Expert
Licensed User
Longtime User

1) Read the link in post #7
2) If you have a site just renew the certificate
 
Upvote 0
You must log in or register to reply here.
Menu
Log in
Register
Cookies are required to use this site. You must accept them to continue using the site. Learn more…