CERT_AUTHORITY_INVALID in XP SP3

Does anyone have an example of a site protected with a new Let’s Encrypt certificate that works with Chrome + Windows XP SP3?

We’ve issued a new certificate for act.democracyforamerica.com and now receive NET::ERR_CERT_AUTHORITY_INVALID in Chrome. The detailed error is “This certificate cannot be verified up to a trusted certification authority”.

The chain is:

our certificate
Let’s Encrypt Authority X3
DST Root CA X3

and DST Root CA X3 is the certificate that is not in the trust store.

Here's one: https://www.brownlawoffice.us/, just tested to work without errors on both Chrome and IE8.

Your problem is almost certainly that you aren't serving the X3 intermediate certificate.

1 Like

If you look at https://www.ssllabs.com/ssltest/analyze.html?d=act.democracyforamerica.com under the Handshake Simulation section, you’ll see “Windows XP” is listed as “Server closed connection.” I believe that usually means the server didn’t like any of the cipher suites offered by the client, but according to the test it looks like you offer the right cipher suites and the right protocols.

The test also shows that you’re serving the right certificate chain. I’m a bit stumped.

2 Likes

Might be the following issue:

2 Likes

Hi Jsha:

That’s a red herring – it’s testing IE6+XP, which doesn’t have TLS support, so the connection fails. IE8+XP is what we’re interested in, which does make a connection.

1 Like

Hi PFG:

Interesting, let me check that.

@danb35, I get the same errors at https://www.brownlawoffice.us/ and my certificate path is identical to yours, so it’s definitely not related to intermediate certificates.

@pfg, “Update root certificates” is checked in my test vm, but that sure does sound like a likely candidate.

I’m going to chock this up to weirdness in my years-old Windows XP vm image, but I bet it’s out there in the wild as well.

XP can’t die fast enough.

My two sites works perfect on windows XP with IE and Chrome
But on SSL Labs I see errors with windows xp :stuck_out_tongue:

https://kretyny.pl/ and https://bookeriada.pl/

https://www.ssllabs.com/ssltest/analyze.html?d=kretyny.pl

I'm wondering, then, if it's something with your Windows installation. I have WinXP in a VM and tested it with both IE8 and Chrome just before I posted, and both accepted the cert without issues. Very strange.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.