Android verifier returns Revoked for Let's Encrypt certificates (CRL-only, no OCSP URL)

[ospfranco]

I'm facing an error on Android where a request (done via reqwest) to https://sgx.opacitylabs.com:18081/sgx/certification/v4/qe/identity gives me a invalid peer certificate: Revoked error when using rustls-platform-verifier. After asking claude to spelunk a bit it came up with the following info

Since [Let's Encrypt ended OCSP support in August 2025](https://letsencrypt.org/2025/08/06/ocsp-service-has-reached-end-of-life), all newly issued Let's Encrypt certificates no longer include an OCSP URL in the Authority Information Access extension. These certificates only include a CRL Distribution Point. On Android, rustls-platform-verifier returns invalid peer certificate: Revoked for these certificates, even though the certificate is valid and not present in the CRL.


Steps to Reproduce
Use rustls-platform-verifier on Android to connect to any host with a Let's Encrypt certificate issued after August 2025.

The certificate's AIA extension will look like this (no OCSP entry):


Authority Information Access:
    CA Issuers - URI:http://e7.i.lencr.org/
Instead of the previously expected format:


Authority Information Access:
    OCSP - URI:http://e7.o.lencr.org/
    CA Issuers - URI:http://e7.i.lencr.org/
Expected Behavior
Certificate validation succeeds, falling back to CRL-based revocation checking or skipping revocation if CRL is also unavailable.

Actual Behavior

invalid peer certificate: Revoked
Root Cause
Android's TrustManager performs mandatory OCSP revocation checking for publicly-trusted certificates. When the certificate has no OCSP URL, it appears to fail with a Revoked error rather than falling back to the CRL distribution point or treating revocation as unknown. rustls-platform-verifier surfaces this as CertificateError::Revoked.

This is not specific to any one certificate or domain — it affects all Let's Encrypt certificates going forward, as LE now exclusively publishes revocation information via CRLs.

Environment
rustls-platform-verifier: 0.6.2
Android (all versions tested)
Let's Encrypt certificates issued after August 2025 (intermediates E5, E6, E7, E8, R10, R11, R12)

I'm not 100% certain this is correct but we have checked our certificates and everything comes from Let's Encrypt and they are not revoked, so I'm not sure what else could be wrong.

[complexspaces]

Hey there, thanks for the issue.

This is currently a gap we're trying to fix, with different solutions being discussed in #179.

On this subject, may I ask how you are building the Android part of this library into your app? Are you using the default recommendation of the .aar file? #115 (comment) has talked about this some as well, but so far the best path we've identified to handle both Android's idiosyncrasies and keep the library usable is to start using the .aar bundle's AndroidManifext.xml more.