ive set up acme client on my opnsense f/w as im using it for my ipsec ssl cert, so i dont need to install my own self signed cert on end clients, ie win, android, macs etc
my question is does lets encrypt/r3 cert come already on windows 10/macs in there cert manager as thats why im doing it this way, to save me the bother of installing my own self signed cert on every client
The question is not clear.
To me it sounds like one of two things:
does LE come installed on Win10?
NO, there is no LE software to be installed.
does Win10 trust LE certs (can I use LE certs on Win10)?
YES, this site uses LE certs (and if you are on Win10 you proven that to work).
[given that you keep your Win10 up-to-date (Windows Updates), it should have the LE certs in the trusted root store]
The topic title includes "CA" which is also confusing...
LE is not a "portable CA" that can be installed anywhere else.
I think that was the question ("do Let's Encrypt certificates validate on client X without having to install something into the trust store?").
To add further information: Let's Encrypt has a root certificate, called ISRG Root X1. This is what's installed on the clients for trust. The R3 you mentioned is an intermediate certificate. This should be send by your server(s), but does not need to be installed anywhere.
ISRG Root X1 is included in all major root programs, including Apple, Google, Microsoft, Mozila and Oracle. See the Certificate Compatibility page for more information.
Interesting, when I manually installed isrg root x1 cert via exporting it from my opnsense fw and importing into cert manager, under CAs, it worked, I could then log into my vpn from the client
as soon as I deleted the cert I just imported, I couldn't log into my vpn any more
So seems the cert doesn't come with Windows 10 anymore
ISRG Root X1 is definetly still part of the Microsoft Root program, and is distributed to all clients where the automatic root update is working. Note that Windows is known to download roots on-demand ("lazy loading"), so ISRG Root X1 is only downloaded upon first visit of a Let's Encrypt-secured website.
There are known cases where the root lazy-loading is not working as intended, see for example here. This can happen if the platform verifier wasn't correctly invoked (some clients don't do this), which prevents the lazy-loading from triggering. The lazy-loading can also fail if the system is unable to download new roots, for example due to network issues (proxy, blocking of MS servers, policy settings...).
There may also be completly unrelated issues with similar symptoms, such as incorrect chains being send (or none at all).
Look out also for old Group Policy configuration which disabled CA root updates. Years ago there was a bug and admins disabled the CA updates in group policy, then forgot about it, so then all new machines still get the same broken policy and never update their CA roots.
OK it's working, tested it on my gf's windows 10 laptop and ipad, connected it to my phones hot-spot and I could connect to my ikev2 vpn server perfect!!!
So must be works group policy stopping the cert download?
As when I manually download the root x1 cert on my work pc, it works