Https://helloworld.letsencrypt.org/ - Your connection is not private


#1

This is on chrome 49.0.2623.112/windows 10.
On ubuntu server 14.04:

wget https://helloworld.letsencrypt.org/
--2016-04-26 17:27:19--  https://helloworld.letsencrypt.org/
Resolving helloworld.letsencrypt.org (helloworld.letsencrypt.org)... 50.112.105.185
Connecting to helloworld.letsencrypt.org (helloworld.letsencrypt.org)|50.112.105.185|:443... connected.
ERROR: cannot verify helloworld.letsencrypt.org's certificate, issued by ‘/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1’:
  Unable to locally verify the issuer's authority.
To connect to helloworld.letsencrypt.org insecurely, use `--no-check-certificate'.

I just created my own certificate through letsencrypt-auto and openssl verify fullchain.pem is failing with:
error 20 at 0 depth lookup:unable to get local issuer certificate

Are the two issues are related?


#3

In short, no I don’t believe they are ( although there is a possibility if your store of trusted authorities is not complete)

Are you happy to provide your domain name, that would help resolve the issue you are having.

With regard to the helloworld.letsencrypt.org that is deliberately using the ISRG Root X1 certificate ( which is not yet trusted ) I believe as they are going through the process of getting the main root approved ( there are links elsewhere on the forum re that). It is also signed by the trusted DST Root CA X3 cert though, so you should have that in your store ( if you don’t that may answer why you are getting the untrusted on both ) .


#4

Very unlikely. The helloworld site has been set up at present to only use the Let’s Encrypt root as we move toward inclusion in some of the root programs ourselves. Since the Let’s Encrypt Authority X1 isn’t in any browser caches yet, it will currently be unverified.

The problem on your site is more likely a misconfiguration, but if you’d like to post more information on the problem you’re having the forum can help you sort it out.


#5

serverco, isk; thank you for the explanation.

I ended up putting the certificate on a nginx server and both chrome and wget were a-ok with it.
I’m still not sure why openssl verify doesn’t work on the pem file but that’s probably on my end and not you guys. The opensssl error + the helloworld example made me think there was an error somewhere but I was wrong.

Sorry for wasting your time, and thank you for the excellent product that letsencrypt is!


#6

Hello @eksrow,

To verify a cert which is signed by an “untrusted” intermediate certficate you should specify that intermediate ca cert in your verify command.

openssl verify -untrusted chain.pem cert.pem

Cheers,
sahsanu


#7

Huh?

Chrome, 50, OSX 10.11, chains up to DST Root (maybe it’s cached)

Firefox 45, OSX 10.11, just Let’s Encrypt Authority X1 then site certificate.


#8

OK

Testing with OpenSSL s_client. Connectring without a SNI servername get’s the DST certificate and with a SNI servername get’s just the ISRG certificate chain