[Help needed] Windows XP support

Unfortunately XP not supporting Let’s Encrypt certificates is a showstopper for us. We have deployed Let’s Encrypt on a few of our client sites that originally did not have SSL and also replaced a few DV certificates.

With 10%+ of our user base (and that includes some slow moving corporates) receiving an error message when they visit the sites, we will have to roll back to non-HTTPS and continue buying DV/OV certificates where needed.

When reading the technicals about Let’s Encrypt, we took on board the fact that Blackberry 10 and Android 2.3 isn’t supported, but nowhere was XP mentioned; had it been then we wouldn’t have considered it a viable solution.

That said, I appreciate the work the Let’s Encrypt team has put into facilitating easy and free access to SSL certificates and will keep an eye on the project with a hope for XP support soon.

the XP thing wasnt even known until recently, because it seems to be a bug with the crss cert. the “normal” lets encrypt cert would have no problems but you wont get it in XP automatically.

also almost 2 years after end of life XP should really be killed off…

Sorry about that! I tried to update all our relevant documentation when we discovered the XP compatibility problems. If you remember which documentation you read that failed to mention XP, I’ll update it.

1 Like

Not an issue. The current documentation is clear that XP isn’t supported so that should help others making the same decision. I hope a resolution can be reached with ISRG about removing the name constraint and making Let’s Encrypt certificates first class members of the SSL world.

The Wii is also not supported, as I’m betting many other gaming consoles and embedded systems are in the same unfortunate boat.

well the name limit is just on the cross cert by IdenTrust. when LE gets trusted then the cross cert isnt needed anymore and the “real” intermediate by LE doesnt have that limit.

I doubt Microsoft would release an update to the XP root certificate store to include Let’s Encrypt, given that they have EOL-ed the product. I don’t even think Microsoft Update works anymore on XP? Unfortunately it looks like it will have to be a case of working with what is there currently for most XP users.

that’s true enough but the ISRG cannot do much about it, because that was IdenTrust’s decision. if you have control over the XP users as I said more often than enough in this thread, let them use Firefox, this also gives you the benefit of being able to turn off all the old stuff and go for a very secure server.

So as it seems the only workable solution would be to get another cross-sign by another CA trusted by Windows XP, which does not have such stupid requirements like NameConstrants.
But I assume it was already difficult so find IdenTrust for this project, was not it?

The other solution is of course to ignore XP users and if they notice they get errors all over the web and (hopefully) get out it is because an outdated OS, they may even use a newer OS or at least install Firefox. And BTW: they don’t have to pay for a new OS - they could also just install Linux. There are many distros that evcen run on old hardware like XP does.
Obviously this solution is not a nice one for web admins. :wink:

1 Like

paypal is announcing their transition from sha1 to sha256 certs so that might prompt some winxp folks to update or change browsers heh

While that is an issue on Chrome/Opera/IE + XP SP2 you can still get by on XP SP3 - IIRC

1 Like

Well that probably does cover a lot of people as a way to avoid the problem. Here is a case where that will not work freindsplus.me it is dependant on a chrome extension (provides Google+ post scheduling capabilities) and thus a chrome browser. I am assuming they recently started using “let’s encrypt” signing in December 2015 as it stopped working on my XP SP3 which led me here. Their extension is only available in Chrome so I have asked them if there is any chance the can stop using Let’s Encrypt as I think if the web pages don’t work then the extension won’t work as well. This problem really sucks.

Another point is have two working browsers is always a good way to troubleshoot problems. Are there any other browsers besides Firefox that can provide a second opinion reliably on XP SP3.

Would someone be able to look at that link and confirm it is the certificate issue for WIN XP discussed in this thread. Thanks.

yeah true… unfortunately

but ya know that chrome isnt supported on XP anymore, dont you, so you are on an old version as well so another point of unupdated security.

You can try to manually install the letsencrypt root certificate in windows certificate store.

Maybe letsencrypt could event provide a msi like https://www.cacert.org/index.php?id=3 to do it easily.

but then the server has the problem of having to use a different intermediate.

That’s no probem, because the LE root is the cross-signed intermediate AFAIK.

What do you mean? Both the intermediates contain the same public key, but this key is obvious different from the key pair of the root certificate…

Okay, just having a look on https://letsencrypt.org/certificates/ again and the intermediate and the root are indeed different certs.
But you still need no other server config, because the intermediate is always served by the server and it is the same no matter whether the IdenTrust or the LE root is used.
And therfore it does indeed make no difference what root is used as the problematic intermediate is there in any case.
So I was wrong…

Actually, come to think of it… It can work… As the intermediate certificates contain the same public key, they sign every leafe certificate exactly the same…

Only thing you’d have to do, is add the ISRG root certificate to your certificate store somehow and let your server serve the correct intermediate certificate: the one signed by the ISRG root cert, as @My1 already pointed out… But that shouldn’t be a real problem: as far as I know you can serve both certificates, it just increases the size of your TLS handshake…

The following screenshot is made with the following Apache directives:

    SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    SSLCertificateChainFile /etc/ssl/mycerts/isrgchain.pem

Where isrgchain.pem = cat letsencryptauthorityx1.pem isrgrootx1.pem > isrgchain.pem (and those two just come from the /certificates/ page of the LE site.)

As you can see, the Pin of both intermediates is the same, but the Fingerprint is different.