addons
addons copied to clipboard
home-assistant
Lets Encrypt : option to choose the chain, certficate is not valid anymore on older devices
Describe the issue you are experiencing
Hi, seems the Lets Encrypt addon is hardcoded to use this chain :
--preferred-chain "ISRG Root X1"
https://github.com/home-assistant/addons/blob/dc81626fadedd3a89ed1b8e2ede1fb3ffd453d74/letsencrypt/rootfs/etc/services.d/lets-encrypt/run#L131
According to this thread, its the alternate chain
https://community.letsencrypt.org/t/production-chain-changes/150739
Is it possible to make an config option, so we can choose the chain type? seems the "X1" chain is not supported anymore on older android types
Thnx in advance
What type of installation are you running?
Home Assistant OS
Which operating system are you running on?
Home Assistant Operating System
Which add-on are you reporting an issue with?
Let's Encrypt
What is the version of the add-on?
4.12.5
Steps to reproduce the issue
No steps to reproduce
Anything in the Supervisor logs that might be useful for us?
No response
Anything in the add-on logs that might be useful for us?
No response
Additional information
No response
Platforms that trust ISRG Root X1:
...
- Android >= 7.1.1 (but Android >= 2.3.6 will work by default due to our special cross-sign)
Platforms that trust DST Root CA X3 but not ISRG Root X1 - Notice no version of android is in this list
...
- Android < v2.3.6
If your android version is older then 2.3.6 then according to Let's Encrypt nothing will make it work. Except possibly switching to firefox as your mobile browser. If your android version is >= 2.3.6 then you should be using ISRG Root X1.
What is your android version and what actually is the issue you're facing? Did you confirm that changing the chain fixes it by running Let's Encrypt manually on some other system? If so please share the chain you used.
I'm not opposed to a config option but I need to know why and that it will actually help. Btw I think the post you linked is in agreement with what I posted above (I would hope so since my links and quotes come directly from the Let's Encrypt website) it's just confusingly worded. When they say "Android compatibility of the longer chain" I believe they are referring to Android versions < 2.3.6. And to my knowledge neither the post nor what I linked presents any viable options for Android devices that out of date at this point other then (possibly) switching to firefox.
Hi, thnx for the feedback, my wall android devices are using 5.0
here is some more info and screens:
https://community.home-assistant.io/t/make-ha-use-1-2-tls/434804
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
I'd also like to opt for an option to chose the chain as my wall tablet with old Android 5.0.1 is now unable to connect to HA when I enable SSL, while using cain "DST Root CA X3" should solve this
