Let's Encrypt, a non-commercial certification authority controlled by the community and providing certificates free of charge to everyone, has announced the upcoming transition to generating signatures using only its own root certificate, without using a certificate cross-signed by the IdenTrust certification authority. The cross-signed certificate expires on September 1, 2021. This means that 33% of Android devices will stop recognizing Let's Encrypt certificates.
The Let's Encrypt root certificate is supported in all modern browsers, but is only recognized as of Android 7.1.1, released in late 2016. However, according to available statistics, Android 7.1 and newer releases are used by only 66.2% of all Android devices. Thus, 33.8% of active Android devices do not have the Let's Encrypt root certificate installed. After the cross-signed certificate expires, an error will be displayed when trying to open sites using Let's Encrypt certificates on such devices. The share of Android devices that use that cross-signed certificate is roughly estimated to be 1 to 5% of the audience of large sites.
Let's Encrypt does not intend to form a new cross-signature agreement.
It’s a big risk for a CA to cross-sign another CA’s certificate, since they become responsible for everything that CA does. That also means the recipient of the cross-signature has to follow all the procedures laid out by the cross-signing CA. It’s important for us to be able to stand on our own. Also, the Android update problem doesn’t seem to be going away. If we commit ourselves to supporting old Android versions, we would commit ourselves to seeking cross-signatures from other CAs indefinitely.
Starting January 11, 2021, changes will be made to the Let's Encrypt API. By default, ACME clients will be issued certificates certified by the ISRG Root X1 without cross-signature. Users who are interested in compatibility will be given the opportunity to request an alternative certificate certified according to the old cross-validation scheme, but such certificates will still be limited by the lifetime of the cross-signed root certificate (September 1, 2021).
As a solution, users of older Android devices are encouraged to switch to the Firefox browser, which has its own up-to-date root certificate store. But Firefox does not support Android 4.x (about 2% of active Android devices) and can only run on Android 5.0 or newer. Site owners who are not ready to accept the loss of compatibility with old Android smartphones are encouraged to process requests from older Android devices via HTTP or switch to using a CA that is supported in older versions of Android.