Android Question [SOLVED] Brand new "Let's encrypt" certificate on Android 9 /10

[magicmars]

Hi!

In an app, I use a HTTPS Let's encrypt certificate with okhttpUtil2 library on a VPS server with a own RESTful json API.
As my Let's encrypt certificates will expire in one week, i made the renew of them manually this evening.

I have noticed the root certificate change as it explain here:
https://forum.opnsense.org/index.php?topic=20325.0
I just renew as i do it normally.

As soon as i changed by the new certificate, i can notice that all the https calls made on new Android devices (9, 10) on my VPS fail with the message:

ResponseError. Reason: javax.net.ssl.SSLHandshakeException: Chain validation failed, Response:

It seeem to be fine on older android devices.

I have also noticed root authority changed :
instead of being signed by "Let's Encrypt authority X3" it's now indeed signed as delivered with a "R3" authority
I test my new certificates signed by R3 on https://www.ssllabs.com/ssltest/
and it show no error about error chain certificate .

When i reverted to the old certificates, still valid but just for one week, everything came back fine with all device android version 5->10.

What the problem with new let's encrypt certificats and android 9 and 10 ?
is their an option i can put to tell okhttputils2 not to check it ?

Thank you

 

[magicmars]

I have put HU2_ACCEPTALL in conditionnal symbols and i need to update quickly my app, but i still wonder what will happen in one week

 

[Biswajit]

If you update an SSL manually then you have to update,

1. Certificate file
2. Key file
3. Chain file

Though it varies from server to server like the above one is for apache, for nginx you have to merge your domain certificate with the intermediate certificate and also update the key file.

 

[magicmars]

Yes this is what I was doing every 2 months a half.
I upload these 3 files and restart apache.
I don't use certbot but renew the certificate every time manually with that form :
https://gethttpsforfree.com/

I do exactly the same procedure as before with these 3 files.
In computer browser the certificate delivered by R3 appear to be valid without error.
i only get this behavious when i to use request over with OKhttp on recent devices with lastest versions of android ( it tests with 9/10).

This problem occurs only with the new certificate authority R3. When i put back the old certificates still valid for one week, it works.

Are there users that suceed to renew recently their "let's enrypt" certificate with the new R3 authority and meet the same problem as me ?

 

[TILogistic]

I use Let's Encrypt authority X3 with okhttpUtil2

in my restfull api (apache) and i have had no problems on android 9 and 10

Check this in https://www.ssllabs.com/ssltest/ :

Note:
It is suggested to renew the certificates within 24 hours prior to the expiration of the certificate.

 

[magicmars]

than you @oparra .

yes i check the certificate that cause error : it seems ok too.
can you confirm me that your cerfificate was built with R3 authority (the new lets encrypt one) and not the old one "Let's Encrypt authority X3" ?

in fact , this work (the old one) :

and this one (delivererd by R3) do not work :

 

[Biswajit]

All my servers have let's encrypt SSL issued by R3. I haven't faced any issue with okhttps. Though I use CWP for server management, it handles all the renewals.

 

[TILogistic]

All my servers have let's encrypt SSL issued by R3. I haven't faced any issue with okhttps. Though I use CWP for server management, it handles all the renewals.

Do you use CentOS Web Panel?

 

[magicmars]

@oparra I have noticed your certificate was issued on 16/11/2020, meaning just before the switching of CA.
So you your certificate is still signed with old lets 'encrypt Authority X3 and not the new one R3.

"Let's Encrypt switched to a new CA on Dec 3, 2020, and any certificates renewed or issued with default settings are affected. "

 

[magicmars]

Do you use CentOS Web Panel?

no only php with apache (debian)

 

[TILogistic]

@oparra I have noticed your certificate was issued on 16/11/2020, meaning just before the switching of CA.
So you your certificate is still signed with old lets 'encrypt Authority X3 and not the new one R3.

"Let's Encrypt switched to a new CA on Dec 3, 2020, and any certificates renewed or issued with default settings are affected. "

if I have read those comments.

I am going to check the other subdomains of another domain that I have with restfull api and that they are working.

 

[Biswajit]

Do you use CentOS Web Panel?

Yes. Its free and the paid version is also cheap ($10/yr). It has almost all the feature that WHM/cPanel has. I also use a simple and secure web panel called VestaCP. It can also handle those renewal things and other system updates. But thats very basic.

 

[magicmars]

ok... hum i found the reason why i get this error .

This is simply silly: I have 5 devices to tests my apps.
The ones in android 9 and 10 i manually changed their time and date , some days ago to test an app, and i didn't change their date back.
I completely forgot that.
As i renew my cert yesterday these devices were still in "the past" and though, the certificate was not valid cause it was issued in the future for them.
So, no need to worry about Let's encrypt certificates. i simply just racked my brains out on my own. ?

Thank for the help @Biswajit and @oparra btw.

I mark it as solved.

 

[TILogistic]

ok... hum i found the reason why i get this error .

This is simply silly: I have 5 devices to tests my apps.
The ones in android 9 and 10 i manually changed their time and date , some days ago to test an app, and i didn't change their date back.
I completely forgot that.
As i renew my cert yesterday these devices were still in "the past" and though, the certificate was not valid cause it was issued in the future for them.
So, no need to worry about Let's encrypt certificates. i simply just racked my brains out on my own. ?

Thank for the help @Biswajit and @oparra btw.

I mark it as solved.

I thought the problem was another, in my other domains the certificate was updated to R3 and the API-Restfull works without problems.

But it is good to know for what other reasons this error can be generated.

Regards.