Starting January 11, 2021, all new certificates including renewals generated by the Heroku ACM process will be incompatible with older clients, most notably Android hardware running releases prior to Android OS 7.1.11. Built-in browsers and apps on these devices used to access your web site or app service with secure connections will start to fail with SSL or other Security errors. This will affect any Heroku app using Heroku ACM for their own custom domain(s) and the
[appname].herokuapp.com default domain for Private Space apps. It does not affect Common Runtime apps using
Heroku ACM certificates are provided by a third party organization named Let’s Encrypt. Their root certificate that signs all the certificates they issue expires in 2021 and their replacement does not have the same level of compatibility the previous certificate had. You can consult web site statistics to determine how many visitors to your site will be affected.
Let’s Encrypt provides some recommendations that site owners can implement based on the relevant scenario:
- If you have your own Android app and must support affected versions, you can issue an app update that includes and explicitly trusts their ISRG Root X1 certificate. See the Let's Encrypt community post on the matter for the certificate content and methods of testing it.
- If a device is not capable of running 7.1.1 or later, not all browsers use the built-in Android certificate trust store, Firefox Mobile works as far back as Android 5.0 and up-to-date versions of the Firefox app will not be affected by this change.
- It is possible to get a certificate chain that will work until September 2021 by disabling Heroku ACM and interacting directly with Let’s Encrypt for your site(s)/app(s), again see a Let's Encrypt Community post for more information on doing so via their "certbot" utility. Please note that this will only work until September 2021 when the root certificate finally expires.
1 Also known as Nougat, however Nougat includes the entire 7.0 release series and compatibility began as of the 7.1.1 update. Releases 8.0, Oreo, or later will not be affected.