IIS 8.5 building incorrect chain with Lets Encrypt Authority X3

Yes, Let’s Encrypt did change the intermediate they use for signing new certificates last week. Here’s the post announcing the change.

Previously issued certs used the “Let’s Encrypt Authority X1”, so certificate chains would need to be constructed with that. But now new certs are signed using the “Let’s Encrypt Authority X3”. This is a good thing, as we now get Windows XP support. In my testing, I’ve found Chromium on Linux to accept a certificate chain where the cert is signed by the X3 intermediary but erroneously includes the X1; whereas Firefox, curl and SSL Labs all complain that the chain is invalid. Your results may vary on other OS’es and browsers; any automated scripts creating chains need to be updated to use the X3 for any new certs.

Some of the language on https://letsencrypt.org/certificates/ is now out of date; toward the bottom it still describes LE as using the X1 intermediary, and shows this in the diagram. Someone at LE should fix this!

1 Like