Does anyone have an example of a site protected with a new Let’s Encrypt certificate that works with Chrome + Windows XP SP3?
We’ve issued a new certificate for act.democracyforamerica.com and now receive NET::ERR_CERT_AUTHORITY_INVALID in Chrome. The detailed error is “This certificate cannot be verified up to a trusted certification authority”.
The chain is:
our certificate
Let’s Encrypt Authority X3
DST Root CA X3
and DST Root CA X3 is the certificate that is not in the trust store.
If you look at https://www.ssllabs.com/ssltest/analyze.html?d=act.democracyforamerica.com under the Handshake Simulation section, you’ll see “Windows XP” is listed as “Server closed connection.” I believe that usually means the server didn’t like any of the cipher suites offered by the client, but according to the test it looks like you offer the right cipher suites and the right protocols.
The test also shows that you’re serving the right certificate chain. I’m a bit stumped.
That’s a red herring – it’s testing IE6+XP, which doesn’t have TLS support, so the connection fails. IE8+XP is what we’re interested in, which does make a connection.
@danb35, I get the same errors at https://www.brownlawoffice.us/ and my certificate path is identical to yours, so it’s definitely not related to intermediate certificates.
@pfg, “Update root certificates” is checked in my test vm, but that sure does sound like a likely candidate.
I’m going to chock this up to weirdness in my years-old Windows XP vm image, but I bet it’s out there in the wild as well.
I'm wondering, then, if it's something with your Windows installation. I have WinXP in a VM and tested it with both IE8 and Chrome just before I posted, and both accepted the cert without issues. Very strange.