LetsEncrypt certificate is not recognized by Chrome Android 6.0.1/5.0.2

[Kaiduan Xie]

Josh,

I suddenly found that https://helloworld.letsencrypt.org was determined by not private on Chrome on Android 6.0.1/5.0.2 today. This is a very big nasty surprise :(

What has changed on Android side?

Thanks for help,

/Kaiduan

[蔡崴丞]

It's using X1 signed by ISRG Root,which isn't included in most browser.

--
You received this message because you are subscribed to the Google Groups "Let's Encrypt Client Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to client-dev+...@letsencrypt.org.
To post to this group, send email to clien...@letsencrypt.org.
To view this discussion on the web visit https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/CACKRbQeS3MPr_p8EASsJ_LaQgQ6bx4td5f8DjjW_qHVYkpqFng%40mail.gmail.com.

[Melvin Carvalho]

On 15 May 2016 at 07:24, 蔡崴丞 <dann...@gmail.com> wrote:

It's using X1 signed by ISRG Root,which isn't included in most browser.

Works for me on chrome, firefox, opera (desktop)

 

--
You received this message because you are subscribed to the Google Groups "Let's Encrypt CA Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ca-dev+un...@letsencrypt.org.

[Timothy Holborn]

doesn't work on my android device.

[Daniel Reynolds]

It works on Chrome for iOS for me.

To view this discussion on the web visit https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/CAM1Sok2L8vEe0ZfnkOy8f6u2d-9V1vGwQErVu5PZAJXYV0UyjQ%40mail.gmail.com.

[Jeroen de Neef]

It doesn't work for me on Windows 7, Google Chrome version 50.0.2661.102 m.

To view this discussion on the web visit https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/1463327087957-469b8133-11e51891-52c8c840%40gmail.com.

[Michel Kuijpers]

also doesn’t work on my MacBook Pro (10.11.4 (15E65)) in Safari (Version 9.1 (11601.5.17.1)) but it works in Chrome (Version 50.0.2661.102 (64-bit))

Groeten en een fijne dag,
Michel
-=-=-=-=-=-=-=-

Met vriendelijke groet,
Michel Kuijpers
-------------------------------------
Du-llens Fotografie en Websolutions
URL: http://www.du-llens.net
Email: mic...@du-llens.net
Mobiel: 06-23977966
-------------------------------------

To view this discussion on the web visit https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/CALXQekuEUvxa%3DaKezWEAMtcNVkEEV-Y-AQmdoCSooy3fJaQt3Q%40mail.gmail.com.

[Daniel Jeffery]

As danny8376 pointed out https://helloworld.letsencrypt.org is currently NOT using the intermediate cross-signed by IdenTrust. As a result the site will come up as untrusted if the ISRG root has not been manually added to a browser cache. This is intentional as Let's Encrypt is jumping through hoops with some root programs to get their roots accepted.

--

Daniel Jeffery

e. da...@letsencrypt.org

e. djef...@linuxfoundation.org

m. 801.769.6767

https://keybase.io/danjeffery | https://danjeffery.youcanbook.me/

[Vladimir Djukelic]

DOES NOT work on Safari Version 9.1 (11601.5.17.1) on Mac OS X El Capitan 10.11.4 (15E65)

Screenshot: https://www.dropbox.com/s/wc5jpa7zmgmmpe0/Screenshot%202016-05-15%2019.52.23.png?dl=0

DOES WORK on Chrome Version 50.0.2661.102 (64-bit) on Mac OS X El Capitan 10.11.4 (15E65)

Screenshot: https://www.dropbox.com/s/joauiu8tze6jcw3/Screenshot%202016-05-15%2019.55.21.png?dl=0

About Chrome Screenshot: https://www.dropbox.com/s/trzrqgaqdd0jo26/Screenshot%202016-05-15%2019.58.55.png?dl=0

To view this discussion on the web visit https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/BA4220B3-A864-4797-98D8-F3B574E8085C%40du-llens.net.

[Timothy Holborn]

how about making a little promo video / campaign explaining for lay people what it is and how to install. perhaps also browser extension that could help if for some reason  (ie: s/w update) the install needs to occur again.

Might also be useful for decentralization generally, but would want to have some means to manage trust with any such tools broadly.

TimH..

[Lucas Garron]

The whole point of Let's Encrypt is to provide a free CA that works *without* users having to do anything.

Also, to take one example, Chrome uses the OS trust store, so it's not straightforward to just "add the root to modern browsers".

In any case, the problem with helloworld.letsencrypt.org has nothing to do with the root(s), since the Let's Encrypt X1 is actually signed by both the ISRG root and the IdenTrust root.

In order to use the current leaf cert, the site needs to serve the Let's Encrypt X1 cert as an intermediate, as suggested by the SSL Labs scanner:

https://www.ssllabs.com/ssltest/analyze.html?viaform=on&d=helloworld.letsencrypt.org

This will make it work on the Android devices mentioned in this thread, as well as any other devices that don't support AIA.

»Lucas

[J.C. Jones]

As Dan said, the "Hello World" site is being used as a demonstration of the ISRG Root X1 for various root programs. Recently, Mozilla asked that the helloworld site present the ISRG Root X1-path certificate rather than the cross-signed certificate for their testing [1]. That's why it is configured this way.

In theory, it could present both the cross-signed and not-cross-signed intermediates, but that will break clients in other ways, and still present certificate chain errors at SSL Labs  (specifically "Extra certs, incorrect order") .

In hindsight, it would have been better to use a different site for the root program applications, but it's stuck now.

1) https://bugzilla.mozilla.org/show_bug.cgi?id=1204656#c46

Cheers,

J.C.