Adding ISRG Root X1 certificate to client

joe425 · August 30, 2018, 9:39am

I am having problems connecting to https://miktex.org (this is not my domain) i get NET::ERR_CERT_AUTHORITY_INVALID error in chrome.

I have been told that I need to add the ISRG Root X1 certificate to use this web site securely. Is this the correct advice? See:https://github.com/MiKTeX/miktex/issues/118

I have the DST Root CA X3 certificate, so from my basic understanding that should enable a letsencript certificate to work?

If I do add the ISRG Root X1 certificate how do I verify its thumbprint?
And isn’t adding a root certificates myself from the internet a bad idea?

Sorry if this is posted in the wrong section, there does not seem to be a configuring clients forum or documentation section, which further adds to my assumption that this is the wrong thing to do.

_az · August 30, 2018, 9:45am

So, the site owner is sending the ISRG signed intermediate instead of the one signed by DST Root X3. Ideally they should send the cross-signed intermediate.

In the case that the site owner doesn’t change the intermediate they send, you would need to trust the ISRG root manually.

When you download the certificate from https://letsencrypt.org/certificates/, you could verify it by comparing what you downloaded with public records:

https://censys.io/certificates/96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6 (note the browser “trusted root” status for the Mozilla and Apple programs)
https://crt.sh/?id=9314791

and compare the public key modulus

openssl x509 -in isrgrootx1.pem.txt -noout -modulus
Modulus=ADE82473F41437F39B9E2B57281C87BEDCB7DF38908C6E3CE657A078F775C2A2FEF56A6EF6004F28DBDE68866C4493B6B163FD14126BBF1FD2EA319B217ED1333CBA48F5DD79DFB3B8FF12F1219A4BC18A8671694A66666C8F7E3C70BFAD292206F3E4C0E680AEE24B8FB7997E94039FD347977C99482353E838AE4F0A6F832ED149578C8074B6DA2FD0388D7B0370211B75F2303CFA8FAEDDDA63ABEB164FC28E114B7ECF0BE8FFB5772EF4B27B4AE04C12250C708D0329A0E15324EC13D9EE19BF10B34A8C3F89A36151DEAC870794F46371EC2EE26F5B9881E1895C34796C76EF3B906279E6DBA49A2F26C5D010E10EDED9108E16FBB7F7A8F7C7E50207988F360895E7E237960D36759EFB0E72B11D9BBC03F94905D881DD05B42AD641E9AC0176950A0FD8DFD5BD121F352F28176CD298C1A80964776E4737BACEAC595E689D7F72D689C50641293E593EDD26F524C911A75AA34C401F46A199B5A73A516E863B9E7D72A712057859ED3E5178150B038F8DD02F05B23E7B4A1C4B730512FCC6EAE050137C439374B3CA74E78E1F0108D030D45B7136B407BAC130305C48B7823B98A67D608AA2A32982CCBABD83041BA2830341A1D605F11BC2B6F0A87C863B46A8482A88DC769A76BF1F6AA53D198FEB38F364DEC82B0D0A28FFF7DBE21542D422D0275DE179FE18E77088AD4EE6D98B3AC6DD27516EFFBC64F533434F

JuergenAuer · August 30, 2018, 9:57am

Hi @joe425

interesting: This is the first domain my chrome shows the ISRG Root:

org

But: I didn't updated my certificate store manual (Windows 10), current crome version.

Other Letsencrypt-domains - DST Root is shown.

joe425 · August 30, 2018, 10:07am

Thanks, that all makes sense, will pass it on to the sites owner.

system · September 29, 2018, 10:07am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.