Outdated client operating systems such as Android 7.0 and earlier will no longer be able to make secure connections to servers using Let's Encrypt certificates from February 2024.
Like many Internet services, we use Let's Encrypt certificates.
We have resilient communication mechanisms that can work around many connectivity issues, however, some functionality will now fail on older devices:
- Displaying websites that are secured by Let's Encrypt
- Connecting to advert servers and RSS feeds secured by Let's Encrypt
- DPoP and other communications to external services secured by Let's Encrypt
- Connecting to SignageNode player admin interface (reverse tunnel)
The following cloud security settings will also cause communications to fail on older devices:
- Require secure player communications
- Require secure blobstore communications
These cloud security settings can be safely disabled because communication is still digitally signed and verified even when data is not encrypted with HTTPS.
Resolution
The recommended solution is to upgrade outdated operating systems. However, for older hardware this might not be possible.
A new root certificate can be installed to restore communications on outdated operating systems.
To automate installing the root certificate, we have made a custom update package available:
https://storage.googleapis.com/targetr/certificate-update-2024-03-08.zip
This package can be automatically downloaded and applied by DS Loader using the update command:
To apply this update, the device must be rooted because DS Loader needs permission to add the root certificate to the system certificate store.
When the update completes, the device will reboot. All communications to servers using Lets Encrypt on the Internet will then work correctly.
Root Cause
Due to the planned 2024 changes in the chain of trust of Let's Encrypt certificates, starting from Thursday, February 8th, 2024, Let’s Encrypt by default will stop providing certificates with the root certificate that is cross-signed by the DST Root CA X3 certificate - see the page Shortening the Let's Encrypt Chain of Trust for details.
This is done because the cross-sign of the Let's Encrypt root certificate ISRG Root X1 by the DST Root CA X3 which was done for the backwards compatibility reasons will expire on Monday, September 30th, 2024.
Comments
0 comments
Article is closed for comments.