SSL issues on older browsers/OS

[SergioGlorias]

Exact URL of where the bug happened

In Moment: lichess1.org (full domain) and cf-socket
But in the future it could affect the entire domain.

Steps to reproduce the bug

1. Use old browsers/OS off the list https://letsencrypt.org/docs/certificate-compatibility/#platforms-that-trust-isrg-root-x2 (ISRG Root X2)

What did you expect to happen?

Lichess work

What happened instead?

The domain lichess1.org is unable to connect due to SSL error

Operating system

Any system off the list https://letsencrypt.org/docs/certificate-compatibility/#platforms-that-trust-isrg-root-x2 (ISRG Root X2)

Browser and version (or alternate access method)

Any Browser off the list https://letsencrypt.org/docs/certificate-compatibility/#platforms-that-trust-isrg-root-x2 (ISRG Root X2)

Additional information

The domain lichess1.org uses Cloudflare proxies
Since May 15th, Cloudflare has started using Let’s Encrypt's ISRG Root X2 certificates instead of ISRG Root X1
Which means that any navigation system that is older than those mentioned in the list will have problems using Lichess.org

NOTE: Androids with an earlier version 7.1.1 are also unable to use Lichess with ISRG Root X1 certificates (which is the current lichess.org), which in turn google had already postponed the problem and that date has passed.

[SergioGlorias]

[benediktwerner]

Have you tested this? Without lichess1.org, the whole site should be broken but I didn't notice any issues trying with iOS 14 in Browserstack. Checking the certificate chain with openssl, it looks like Cloudflare is using a cross-signed version of ISRG Root X2:

In addition, all platforms which trust ISRG Root X1 also trust the cross-signed version of ISRG Root X2.

Also would be surprised if Cloudflare would drop support for iOS 16 already.

Though ultimately, at some point older certificates expire anyways and there's nothing we can do against that. At some point, a device that doesn't receive any more updates becomes so outdated that it just can't be used anymore. Looks like ISRG Root X1 still has a decade left but we've already had this happen with the previous one a few years ago.

[SergioGlorias]

I haven't tested it directly, but I'm seeing who is having problems
Regarding iOS 14, there may have been an application update to extend support
As happened with Android 7 and below
Which currently no longer trusts lichess.org's current SSL certificate

I could also ask about it being android 14+

In addition, the operating system's internal systems may no longer have the certificate, but application certificates do.

[benediktwerner]

Do you have any specific cases/versions that are having SSL issues? As mentioned, it looks like Cloudflare is using the cross-signed version of the X2 certificate which, according to the Let's Encrypt page you linked, works on all devices that trust X1.

Which makes sense, Android 14 only released last year, there's no way Cloudflare would already break that. Same for iOS 16 as already mentioned above.

As for devices that don't even trust X1, I'm not sure we can reasonably do much about that. The best option is probably to use something like Firefox which has its own trust store. But such devices must already be lacking years of security updates and probably shouldn't connect to the internet at all. Given how ubiquitous Let's Encrypt is, they probably also can't use most other websites either.