Mitigate Let's Encrypt CA Change

[linl33]

Let's Encrypt issued certificates will no longer be trusted on some devices, notably Android versions prior to 7.1.1, after September 30, 2021. ODK-X will introduce the following changes/features to minimize the impact:

• [ ] Trust Let's Encrypt's root public keys (ISRG Root X1, ISRG Root X2) in ODK-X Services

• [ ] Allow ODK-X Services to trust user provided certificates

• [ ] Allow users to bring their own certificate in the Sync Endpoint setup script

Links https://docs.google.com/document/d/11KvB6XAkAp17bny4lPk4Uvobb5n6arbRT_iXArbfOns/edit https://letsencrypt.org/2020/11/06/own-two-feet.html

[matt9j]

This looks like a good plan to me! I think in the long run supporting custom trusted certs in a deployment's client apps is the right way to solve the full offline case. Another possible short-term stopgap is adding zerossl as an alternative ACME cert provider. Supposedly it works the same with certbot, and they are still using a traditional root CA. Their 90 day ACME certs are also free like letsencrypt's https://news.ycombinator.com/item?id=25188614 https://zerossl.com/features/acme/

[linl33]

ZeroSSL is listed as one of the options in the Google doc linked above. Unfortunately though, adding ZeroSSL is not as simple as swapping Let's Encrypt's ACME URL for ZeroSSL's URL. ZeroSSL requires an account, that has to be created out of band, to request certificates. See https://zerossl.com/documentation/acme/

[matt9j]

Ah, that make sense. Sorry I couldn't see the doc yesterday! The plan as it stands is definitely the best option then!

[linl33]

Update from Let's Encrypt on this situation: https://letsencrypt.org/2020/12/21/extending-android-compatibility.html

In short, they have found a workaround that will allow old devices to continue to trust Let's Encrypt issued certificates until early 2024.