[Help needed] Windows XP support

I don’t know if this requires a whole key signing ceremony et cetera, but could this be an opportunity to get an cross-signed ECDSA intermediate?

I thínk it wouldn’t be possible, as there probably won’t be a new private key generated, but one can always ask, right? :stuck_out_tongue_winking_eye:

1 Like

I waiting for this fix, we have around 20 computers with win XP and Chrome with this bug.


With WinXP + Firefox is working normally

I’m afraid you’re correct. This won’t move up the date for an ECDSA intermediate. We’ll be using the same intermediate key, but with a new cert that has a new Subject and lacks the nameConstraints.

Yes bro, in firefox with windows XP SP3 work normally!

well depending whether firefox works with SP2 t could even work there. even with EC.

point is that unlike most other browsers Firefox does its own encryption etc. so even if the system is way too old, Firefox could access high-security HTTPS Pages.

Please publish new ca certs as soon possible, because i am using HPKP and have it locked to LEAX1 and LEAX2 certificates. I need add keys from new crs (LEAX3&4) as early, before they reach production.

Thank you for all!

As stated in the announcement the new intermediates use the same keys, therefore your HPKP pins will remain valid.


@cool110 is correct. Also I’d suggest reviewing the advice at HPKP best practices if you choose to implement.

Newly issued certificates should now work on Windows XP.


@jsha, So just so that I do it right, all I need to do now is to run

letsencrypt-auto certonly

Then how do I determine if it has successfully installed the new cert and is working now with XP? I tried the above, and it said it was successful, but my users are still saying they can not access.

this is my site: www.learnjazzstandards.com

Your certificate was issued on March 3rd. Did you reload your web server? Changes to certificate files won’t be picked up otherwise.

If restarting the web server doesn’t help:
Was ./letsencrypt-auto certonly the complete command you ran? You’ll probably want to run the exact same command you ran initially when you first got your certificate, plus --force-renewal. You could also try ./letsencrypt-auto renew --force-renewal.

@pfg, thanks for using the new name --force-renewal – I think it’s a lot clearer in this context. :slight_smile:

One issue: The default cipher suites and protocols configured by the Let’s Encrypt client are not compatible with Windows XP. If you need to support XP users, you will want to use the “Old” settings from Mozilla’s TLS configuration page.


Now as the new intermediate is released, you should update helloworld.letsencrypt.org so that users can easily test in their own…


Good idea, thanks! Will do.

Well, helloworld is (/was?) also the first valid certificate of Let’s Encrypt ever, right? So in a way it’s some sort of a milestone… Something rememberable.

Somehow it’s also a shame if that first ever valid certificate goes away, right? :stuck_out_tongue:

I’d suggest a “hello-xp.letsencrypt.org” subsite :stuck_out_tongue_winking_eye:

Except that due to the 90 day lifespan that first certificate expired back in December and has been replaced another time since then.

1 Like

:disappointed: so true…

6 posts were split to a new topic: CERT_AUTHORITY_INVALID in XP SP3