[Help needed] Windows XP support

Also, google penalizes sites that arent https

So back to topic...
There are good news:

Certificate Compatibility with Windows XP

ETA: Before March 22, 2016

A bug in Windows XP causes parsing of our current cross-signature
from IdenTrust to fail. We will be correcting this by getting new
cross-signatures from IdenTrust which work on Windows XP.

9 Likes

can’t wait! this will improve adoption rates for sure

Awesome news @rugk :thumbsup:

Any details about the new CA cert? Should I start the renewal process ? :smiley:

We’ll post when it’s ready. It’ll be soon, but we probably won’t quite hit the estimated date of March 22.

1 Like

Do you have any ETA? So, is it like early April, middle April, early May, what?

Thank you for letting us know.
Cheers

I would say probably early April.

1 Like

I don’t know if this requires a whole key signing ceremony et cetera, but could this be an opportunity to get an cross-signed ECDSA intermediate?

I thínk it wouldn’t be possible, as there probably won’t be a new private key generated, but one can always ask, right? :stuck_out_tongue_winking_eye:

1 Like

I waiting for this fix, we have around 20 computers with win XP and Chrome with this bug.

Note:*

With WinXP + Firefox is working normally

I’m afraid you’re correct. This won’t move up the date for an ECDSA intermediate. We’ll be using the same intermediate key, but with a new cert that has a new Subject and lacks the nameConstraints.

Yes bro, in firefox with windows XP SP3 work normally!

well depending whether firefox works with SP2 t could even work there. even with EC.

point is that unlike most other browsers Firefox does its own encryption etc. so even if the system is way too old, Firefox could access high-security HTTPS Pages.

Please publish new ca certs as soon possible, because i am using HPKP and have it locked to LEAX1 and LEAX2 certificates. I need add keys from new crs (LEAX3&4) as early, before they reach production.

Thank you for all!

As stated in the announcement the new intermediates use the same keys, therefore your HPKP pins will remain valid.

2 Likes

@cool110 is correct. Also I’d suggest reviewing the advice at HPKP best practices if you choose to implement.

Newly issued certificates should now work on Windows XP.

2 Likes

@jsha, So just so that I do it right, all I need to do now is to run

letsencrypt-auto certonly

Then how do I determine if it has successfully installed the new cert and is working now with XP? I tried the above, and it said it was successful, but my users are still saying they can not access.

this is my site: www.learnjazzstandards.com

Your certificate was issued on March 3rd. Did you reload your web server? Changes to certificate files won’t be picked up otherwise.

If restarting the web server doesn’t help:
Was ./letsencrypt-auto certonly the complete command you ran? You’ll probably want to run the exact same command you ran initially when you first got your certificate, plus --force-renewal. You could also try ./letsencrypt-auto renew --force-renewal.