Zendesk SDKs impact due to Let's Encrypt root certificate update

UPDATE, December 23, 2020: Let's Encrypt have developed a way for older Android devices to retain their ability to visit sites that use Let’s Encrypt certificates after their cross-signed intermediates expire. More information can be found here. The workaround options described below should no longer be necessary.

On November 6, 2020, Let’s Encrypt announced that as of January 11, 2021, the DST Root X3 root certificate that Let’s Encrypt have been using will no longer be the default root certificate and will be replaced by their own ISRG Root X1 certificate. Let’s Encrypt’s new ISRG Root X1 certificate is not compatible on Android versions earlier than 7.1.1 . As a result, any mobile apps or SDKs using Let’s Encrypt certificates for HTTPS signing will no longer function correctly after January 11, 2021 for Android users on versions earlier than 7.1.1.

At Zendesk, we expect the impact to be limited to a small subset of customers using the following Android SDKs:

  1. Zendesk Support SDK (including Guide)
  2. Zendesk Chat SDK
  3. Zendesk Answer Bot SDK
  4. Zendesk Talk SDK

Only customers using host-mapped domains, like help.example.com, with our SDKs, signing with Let’s Encrypt certificates, and with users on Android 7.1.1 and older are impacted. Zendesk subdomains, like example.zendesk.com, are signed by Cloudflare, and are not impacted by the Let’s Encrypt update.

Zendesk’s Sunshine Conversations SDK does not use Let’s Encrypt certificates, and is not impacted by this change.

If you are impacted, there are two potential workaround options available to you:

  1. Use Zendesk subdomain. By using a Zendesk subdomain (eg: “your-company.zendesk.com”) when initializing the SDKs, you will not be impacted by the Let’s Encrypt certificate update.
  2. Enable the alternate certificate chain. If your ACME client supports “alternate” link relation, you can update your ACME client to serve an alternate certificate chain for the same certificate that leads to the existing DST Root X3 and offers broader compatibility. More details on this method is available here (https://letsencrypt.org/2020/11/06/own-two-feet.html#if-you-are-a-site-owner). The DST Root X3 root certificate is set to expire on September 1, 2021.

If you are unsure of whether you are impacted, we encourage you to reach out to your certificate provider.