Need help updating Android tablets to accept Let’s Encrypt certificates.

expand collapsive

Howdy,

I administer several dozen Android tablets via Hexnode. Today, they started returning – in error – a cURL 60 error, asserting that a specific website’s SSL certificate had expired.

I”m nearly certain that the cause is the issue cited here:

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

That article says that the solution is to:
“[M]ake sure of two things: (1) all clients of your API must trust ISRG Root X1 (not just DST Root CA X3), and (2) if clients of your API are using OpenSSL, they must use version 1.1.0 or later.”

I’m trying to figure out if I need to and can set one or both of these things on the Android tablets I’m adminning via Hexnode, but I haven’t been able to figure it out yet. Can you help?

(I’ll keep trying to figure this out in the meantime.)

Jonathan Leistiko
Project Manager & IT Manager
Adeo Healthcare Software and Billing Solutions

All Replies

  • Hi Jonathan,

    Hope you are doing well,

    The cURL 60 error that was received would indeed point to the website’s SSL certificate being expired. If the devices or browsers are of an older build, then the trouble could be with the inability to trust the ISRG Root X1. It would be best to check for available OS updates on the device to get this done for the devices that are compatible with the latest OS versions. The latest versions of the OS would have the required certificates trusted and hence this behaviour should not be seen.

    For your devices enrolled under Android Enterprise, you would have the option to schedule the OS updates from Policy > Android > OS updates. Here is a link with more information regarding this https://www.hexnode.com/mobile-device-management/help/how-to-schedule-os-updates-in-android-devices-using-hexnode/

    With Hexnode, you would also be able to deploy the certificate to the device remotely using the certificate policy that we provide. You can do this from Policy > Android > Certificate. Here is a link with more information regarding this https://www.hexnode.com/mobile-device-management/help/how-to-add-certificates-for-android-devices-using-hexnode-mdm/

    Please note that although the certificate would be deployed to the device, the device has to be capable of trusting this certificate and this would be dependent on the device and the OS as well.

    Regarding OpenSSL, the various apps that you use would be making use of the higher version of the OpenSSL library. Therefore, it would be a best practice to ensure that the browser app is updated to the latest version. This can be done via Hexnode by setting the app as a mandatory app. This can be done from Policy > Android > Mandatory apps. Once the required apps are added here, the updates shall be automatically pushed to the devices when available.

    If you need any assistance setting up the configurations from the Hexnode portal, you can reach out to the technical support team directly via mdm-support@hexnode.com.

    Cheers!
    Jeff Black
    Hexnode MDM.