It took a long time, but most of the web now uses HTTPS to securely transmit information, partially thanks to a push by Google. However, this does mean that many websites could encounter issues (or fail to load entirely) if the proper certificates aren't installed on your device, which is exactly what will happen to older Android devices next year.

Let's Encrypt is one of the world's leading certificate authorities, and the group's certificates are used by approximately 30% of all web domains. When the group was first founded, it applied for its own 'ISRG Root X1' root certificate to be included in all browsers and operating systems. All certificates to date have also been cross-signed with IdenTrust's 'DST Root X3' root, which has been in Windows, macOS, Android, and most other software platforms for years.

Let's Encrypt's original partnership with IdenTrust expires on September 1st, 2021, and the group doesn't plan on entering another cross-signing agreement. This means that all browsers and operating systems without Let's Encrypt's root certificate will no longer work with sites and services using the group's certificates. The announcement pointed out that devices running Android 7.1 or lower is among the affected group:

However, this does introduce some compatibility woes. Some software that hasn’t been updated since 2016 (approximately when our root was accepted to many root programs) still doesn’t trust our root certificate, ISRG Root X1. Most notably, this includes versions of Android prior to 7.1.1. That means those older versions of Android will no longer trust certificates issued by Let’s Encrypt.

Even though the agreement doesn't end until September of next year, Let's Encrypt will stop cross-signing by default starting on January 11, 2021. The option will still exist for sites and services to continue generating cross-signed certificates, but only until September.

The only workaround for legacy Android devices is to install the Firefox browser, which uses its own certificate store that includes the ISRG root. However, this doesn't prevent applications and other functions outside the browser from breaking.

Crisis averted

Let's Encrypt has come up with a workaround that should take care of things until 2024.