Getting The Green Bar in Browsers - Whats Required (Updated: May 2017)


#1

Hello,
I have a quick question: Does Let’s Encrypt consistently provide the green https id across all browsers? I read that some free SSL providers do not provide consistent SSL verification across all web browsers.

Thanks,
Colin


#2

Hi @ctsygiel,

Let’s Encrypt offers domain validation (DV) certificates, which do not assert the identity of the person or organization that runs a web site. There are other kinds of validation that we don’t offer, such as extended validation (EV). You might be hearing about the difference in the way that browsers visually show the presence of each kind of certificate.

Every browser shows this graphically in a slightly different way, and older versions may be different from current versions. A simple way to describe the difference in visual indication is that many current browsers show a green padlock with DV and additionally show a green bar (with site operator information) with EV.

If you want to see how a particular browser will display the presence of a Let’s Encrypt cert, you can visit https://helloworld.letsencrypt.org/ in that browser and see what it will look like. To contrast that with how the browser displays the presence of an EV cert, you could visit the certificate authority https://www.globalsign.com/ (which issues EV certs itself and also uses one on its home page). You might, for example, see a green bar with the GlobalSign cert that you won’t see with the Let’s Encrypt cert.


#3

Amazing Seth. This is very clear to me now, thanks!


#4

I just installed your letsencrypt cert (browser bar is not green) and when i run a scan via https://www.digicert.com/help/ it tells me:

SSL Certificate is not trusted

The certificate is not signed by a trusted authority (checking against Mozilla’s root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.

But looking at https://helloworld.letsencrypt.org/ the cert in the URL is displayed in green.

Whats the difference? How can i fix this pls?


#5

Hi @edgeglobal,

Without your domain name we cant provide a solid advice but I suppose that you forgot to include the intermediate cert in your web server conf. It can vary from web server and version but instead of cert.pem you should use fullchain.pem.

If you specify your web server name and version and how you configured your virtual host then we can point to the right way to do it.

Cheers,
sahsanu


#6

I believe this has been dealt to in this post: Testing Approaches To Prove or Disprove - "SSL Certificate is not trusted" message

Try avoiding multiple posts in the future as it doesn’t speed things up


#7

Just an update on this thread:

There are two components required to get the green bar

A) A valid certificate with the relevant intermediates (web server config)
B) Lately browsers such as Firefox have been evluating insecure content on pages as well. http://whynopadlock.com/ is a great tool for reviewing websites.

Andrei


#8

To get a green padlock (DV certificate), you have to prove that you own the website. That can, I think, be done automatically by placing a unique file on the server (then later deleting it). But even Let’s Encypt and Comodo won’t do this for free. It’s a legacy IMO of the history of the Web of Trust and certificates being a big scam to garner lots of money (originally at least $300/year for each certificate) from fat cat advertisers and others on the Web.


#9

Sorry, what? Let’s Encrypt issues all of our DV certificates for free. You can see the certificates that we’ve issued.

https://crt.sh/?Identity=%&iCAID=16418

If you go to the sites mentioned in these certificates in a web browser, you’ll see a green padlock (for most of them, if they’ve set their sites up correctly). We didn’t charge any money to or receive any money from these users for this service.


#10

I’m sorry, I was going by the lack of green at a test site, richardjaybrown.com . This HTTPS site is handled by Let"s Encrypt by AutoSSL in WHM.

See further info about DV and EV certificates.


#11

It’s true that there’s currently no way to get a free EV certificate, and different browsers may show different security indications for DV and EV, including more appealing/impressive security indications for EV such as a green bar rather than just a green lock.


#12

I should have said that OV (not DV) certs show a green padlock, and the issuing CA verifies ownership simply by emsl or a unique filr on the website. Maybe Let’s Encrypt certs will be OV someday. (See https://cheapsslsecurity.com/blog/ssl-certificates-for-website-security/)


#13

No, you shouldn’t have, because that would have been wrong. DV certs do, indeed, show a green padlock, as this very page proves–as I type this, I’m looking at a green padlock, and when I click on it, I see that it’s a cert issued by Let’s Encrypt (and therefore a DV cert).

Maybe pigs will fly, too–it’s about as likely.

Or better yet, don’t–very little of the information there, especially in the comparison of certificate types, is accurate (for example, neither encryption strength nor support for mobile devices has anything to do with the type of cert).


#14

Danb35, Wow, thank you for all the corrections. I’ve been studying secure websites for several days now and still understand very little of the important basics. Anyway, I’ve gotten to the point where I am indeed getting the green padlock, which seems like enough of an achievement by now.

I now pretty much understand how WHM and CPanel support LE certificates. The hard part is doing this all manually on my Windows 8.1 Apache development server. I’ve created a CA cert, but creating an actual DV certificate based on that CA using OpenSSL seems to be more difficult. Anyway, this is not the forum to get help with that.

I wish I could use LE to get a cert for development use on localhost, but that seems impossible.

Since this thread started off so ignorantly, do you think I should delete my postings?


#15

I wouldn’t think deleting anything is called for, and apologies if I came off too strong. It’s just that there’s a lot of FUD out there, perhaps some of it unintentional, about what DV certs (like those issued by Let’s Encrypt) do and don’t do. Relevant to this thread, and to the link you posted:

  • Any type of cert (DV, OV, or EV), if issued by a trusted CA, will give at least a green padlock if your site is configured properly (which mostly means that you aren’t serving insecure content as part of your page).
  • Any type of cert (DV, OV, or EV) will work with mobile devices
  • Any type of cert can have any supported key length (I think the range is 2048-bit to 8192-bit). No type of cert is “more secure” than any other in that regard.
  • Any type of cert can be used with any valid encryption algorithm–as above, no one type is more secure than any others.
  • Wildcard and multiple-domain certs aren’t alternative cert types to DV/OV/EV; wildcards and multiple domains are orthogonal issues. You can have a wildcard DV cert, a wildcard OV cert, or a wildcard EV cert (as long as the CA/B forum guidelines permit it)–LE will begin issuing wildcard DV certs early next year. Similarly, multiple-domain certs can be DV, OV, or EV–LE currently issues multiple-domain DV certs.