Let's Encrypt Chain of Trust Change 2024

This article will be of interest to users of the Xibo CMS who self-host their CMS using a Let's Encrypt SSL certificate, and who use Android Players running on Android versions earlier than 7.1.1, or some older versions of webOS and Tizen.

Users of Xibo's Cloud platform should not need to take action. Cloud users can contact support to discuss any concerns they may have.

On older Android devices, and some webOS and Tizen panels, Let's Encrypt relies on a cross-signed certificate signed by IdentiTrust for their certificates to be trusted.

That cross-signature expires on 30th September 2024, and so action will need to be taken ahead of that date to allow these devices to continue to communicate with the CMS.

There are two broad options available.

Continue using Let's Encrypt

In order to continue using LetsEncrypt certificates, you will need to either update the firmware on your device to a firmware that trusts the ISRG X1 root, or import the ISRG X1 root in to your device's trusted certificate store.

Details of the options available to you for upgrades or importing the certificate can be found here:
https://community.xibo.org.uk/t/install-letsencrypt-x1-root-on-a-rooted-device/22946

Switch to an alternative certificate

Alternatively, you can switch certificate provider and use paid-for certificates from companies such as RapidSSL or Comodo who's certificates are trusted by the older devices already. Note for RapidSSL support you need to manually add an additional cross-signed certificate to the chain to support these older devices.

Further Information

https://letsencrypt.org/2023/07/10/cross-sign-expiration.html