osmeditor4android icon indicating copy to clipboard operation
osmeditor4android copied to clipboard

Published 20 hours ago verified publisher icon MarcusWolschon

Address issue that letsencrypt certs will no longer be working on pre Android 7.1 devices

Open simonpoole opened this issue 5 years ago • 8 comments

See https://letsencrypt.org/2020/11/06/own-two-feet.html

This will effect access to the OSM API (except if they spend some funds on getting certs from somewhere else) and, less important, to the crash reporting and other secondary sites (mapsplit site for example).

Potentially we can include the current letsencrypt cert with the app, needs to be investigated.

This will effect OSM API access and likely a large number of imagery sources.

simonpoole avatar Nov 07 '20 13:11 simonpoole

https://community.letsencrypt.org/t/mobile-client-workarounds-for-isrg-issue/137807/16

https://stackoverflow.com/questions/64844311/certpathvalidatorexception-connecting-to-a-lets-encrypt-host-on-android-m-or-ea

simonpoole avatar Nov 24 '20 22:11 simonpoole

Out of interest because I guess I'll have to implement a workaround as well, how many Vespucci users on Google Play use a version older than 7.1.1, absolute and in percent?

For StreetComplete it's currently 280 users or 3.5%. According to my extrapolation, it will be around 2% or 170 users in September 2021. In these numbers, F-Droid users are unaccounted for. They make up for 5-15% of users. In any case, a number that shouldn't fall under the table.

westnordost avatar Nov 29 '20 17:11 westnordost

I'll have a look later, but the primary short term concern for us are imagery sources, the OSM API won't be an issue before September.

simonpoole avatar Nov 29 '20 17:11 simonpoole

Oh, then I didn't understand that article. Why will imagery sources be a problem before September?

westnordost avatar Nov 29 '20 18:11 westnordost

I'll have a look later, but the primary short term concern for us are imagery sources, the OSM API won't be an issue before September.

It is rather unlikely that the imagery sources are aware of the issue and will explictly ask for the certificate chain with the crossigned cert for renewals (which is what OSM ops is doing). In September that won't help anymore, but it at least gives some wiggle room till then.

simonpoole avatar Nov 29 '20 18:11 simonpoole

Numbers (per today)

7.0 - ...: 696 = 12% 7.1 - ...: 866 = 15%

It isn't quite clear what 7.1 contains so that is probably just upper limit and might be a bit lower. We don't have any numbers for f-droid, but from bug reports etc. it is seems to be quite popular, so I would suspect that we have at least 1'000 users that are potentially effected.

simonpoole avatar Nov 29 '20 21:11 simonpoole

See https://community.letsencrypt.org/t/transition-to-isrgs-root-delayed-until-jan-11-2021/125516/2 for some information on the --preferred-chain argument to certbot.

simonpoole avatar Nov 29 '20 21:11 simonpoole

News today: https://letsencrypt.org/2020/12/21/extending-android-compatibility.html

westnordost avatar Dec 21 '20 16:12 westnordost

D-day has arrived https://github.com/MarcusWolschon/osmeditor4android/issues/2556

simonpoole avatar Jun 11 '24 15:06 simonpoole