K-9 may start reporting certificate errors for Let's Encrypt/ISRG certificates on old Android (<=7.0)

Hello all!

I had a question, but I was able to answer it on my own. However, since this may affect other K-9 users, I thought I would note what I found. It’s very possible the K-9 developers are already aware of this situation.

Quick version:

Let’s Encrypt/ISRG security certificates will probably gradually stop working on older Android devices (about Android 7.0 and older) from now through September 2024.

If an email provider uses such a certificate on their IMAP, POP, or SMTP server, this may manifest as a certificate error when K-9 tries to check or send mail. There are ways around this, but they may not be secure.


I am running an older version of K-9 (5.600) on Android 5.1 on a circa-2016 ARM A8 tablet. K-9 worked just fine when I last used it, on public wi-fi, in mid-March 2024.

A couple of days ago (mid-April 2024), I tried to use K-9 while connected to the public wi-fi at a local library, but it gave a certificate error when trying to check my email. I thought maybe this was caused by some kind of security or filtering mechanism on the library’s public wi-fi, so I just closed K-9 and didn’t check my email.

Yesterday, I tried it again on my home wi-fi, and got the same certificate error. K-9 pops up an overlay titled “Unrecognized Certificate”, with some user advice, and then a dump of the problem. The main error seemed to be “Trust anchor for certification path not found”; it didn’t know what to do with the “Let’s Encrypt R3” certificate or its parent “ISRG Root X1” certificate.


A little web searching revealed that older Android devices didn’t have any Internet Security Research Group (ISRG)/Let’s Encrypt certificates in their “system” certificate store. ISRG’s solution for a while was to cross-sign their certificate with another certificate that older Android did have in its “system” certificates, so Android would accept the ISRG certificate. ISRG has now stopped doing that cross-signing, which means that older Android devices, like mine, will stop being able to use their certificates.

ISRG’s own page about this is at Shortening the Let's Encrypt Chain of Trust - Let's Encrypt , which specifically cites “Android 7.0 and earlier” as likely to have problems. Their suggested solution for Web browsing is to use Firefox Mobile, which has its own internal certificate store, which includes their certificates. This doesn’t help email clients like K-9, though.


I figured out two different work-arounds for this problem. One is to add the ISRG certificates to Android’s “user” certificate list, and the other is to tell K-9 to just ignore the certificate problem. Both ways seem to work, but they might limit the security normally provided by the security certificates. In other words, with either work-around, you might end up talking to a bad guy’s mail server without knowing it.

Not work-arounds:

In most versions of Android, it’s apparently either not possible or rather difficult to install new certificates into the “system” certificate store, so I didn’t pursue that option. “Rather difficult” seems to mean that the device vendor (Samsung, LG, Motorola, etc) has to issue an Android OS update specifically for your model of device. I found one hint that it might be possible to do this if your device is rooted, but I haven’t tried that method, so I don’t know if it works.

In theory, it would be possible for K-9 to keep its own list of security certificates, and not rely only on the Android certificate store. I’m pretty sure Firefox Mobile does this. However, this would require a certain amount of development effort.

Checking the certificates manually

I gave myself a little bit of confidence by using openssl on a Linux desktop machine with a connection I trust to connect to my email provider’s IMAP server and show the certificates they are sending. The key fingerprints I got that way matched the fingerprints on K-9’s “Unrecognized Certificate” screen.

I also noted that the R3 certificate from my email provider had been generated on 2 April 2024, which probably explains why it worked in mid-March but not in mid-April.

Finally, I contacted support at my email provider and asked them 1) when did they last update their certificates and 2) what they thought the fingerprints of their IMAP and SMTP servers were. They replied that they had updated their certificates after the change at ISRG, and told me the fingerprints. Both fingerprints matched what K-9 was reporting on the “Unrecognized Certificate” page, so I have confidence that I really am connecting to the servers I think I’m connecting to.

I hope this helps!