Tools such as curl don’t trust let’s encrypt certificates on vanilla Debian systems, even though both root certs let’s encrypt uses are included by default
One has to add the intermediate LE cert to make curl trust LE certs
I have encountered an issue with Let’s Encrypt’s certs several times in the past and was wondering if the ISRG has plans to deal with that issue or I am just missing something here.
There are several distributions that include the Mozilla root CA store. Debian for example has the ca-certificates package, which includes both of the root certs LE uses: ISRG Root X1 and Identrust DST Root CA X3.
When using wget or curl to download something via HTTPS on Debian from a host with a Let’s Encrypt certificate they both throw an error though, because they don’t trust the certificate. One has to use the --insecure flag with curl, otherwise it just won’t work.
To fix this, one has to manually add the intermediate cert “Let’s Encrypt Authority X3” to the CA store, to make curl and wget trust Let’s Encrypt certificates.
I’ve read somewhere that browsers actually don’t include the intermediate cert either but do some sort of magic to still trust LE certs…
Are there any plans by the ISRG to include the LE intermediate in distributions? Or is this just a “known issue”?
I know that commercial CAs also use intermediates, why do those not have this problem?