Impact of Let's Encrypt changes in Discourse users on old Android versions

Last week, the default certificate authority for Discourse announced an incoming change for next year, you can read it in details here:

What that means in the current status of Discourse is that from 2021-01-11T03:00:00Z users on Android version prior to 7.1.1 will be unable to connect to Discourse using Google Chrome. This can be postponed to September if we change how the certificate is requested, but it’s not something we have ready nor planned.

While the blog post shows that this can be a big as 33,8% of the Android users, doing a quick check on the last hour of some our hosting shows this number to be closer to 3%.

The post also tells that one workaround is using Firefox for Android that ships its own updated certificates. Firefox is supported in 97% of the affected users, as it supports Android 5+. And while we don’t support it officially, we do have some enthusiastic Firefox users on the team that keep an eye for basic usability issues.

Users can test if they will be affected by visiting https://valid-isrgrootx1.letsencrypt.org/

I’m assuming Google Chrome means it also impacts Discourse Hub, and anyone who installed the PWA would be silently broken?

Yes, it impacts Discourse Hub and any app that uses the OS certificate store.

We could make Discourse Hub use a different certificate for Android version > 6 and < 7.1.1, but not something we have planned at the moment.

PWAs use the Chrome engine by default, so they are also affected, unless installed using Firefox.

It looks like we will move the minimum supported Discourse Android version up to 7.1.2 as of January 11, 2021.

Android 7 was released in August 2016, over 4 years ago.

Going to be watching this one with interest. There are a number of <$100 tablets which are still selling with Android 6 and 7. I saw one project in March hand jobseekers hundreds of tablets running 7.1.

In that case the obvious solution will just be to stop using Let’s Encrypt.

Well, hopefully they were running 7.1.2 – that seems likely enough if they were on 7.1.

I wonder if Cloudflare is a way around this? Websites using their caching report Cloudflare’s certificate, and not the origin’s.

Using any other certificate authority is a way around, Cloudflare being one of those.

Our partners at Let’s Encrypt contacted us to share the following news:

Looks like old Androids will be able to continue browsing sites using Let’s Encrypt just fine

Note that Discourse Hub app will still require Android 7.1.2 or later, but this change by Let’s Encrypt means accessing a https Discourse site via the browser should be OK on older versions of Android, provided the user has an updated browser.