Let's encrypt and the PlayStation 4 Browser: Missing CA certificate?

There seems to be a problem with the PS4 Browser and let’s encrypt:

The security of this page cannot be confirmed.

The PS4 does not have the CA root certificate provided by the server.

Do you want to display the page?

happens here: https://marc.tv

Any idea?

Here is what happens when I click on the certificate.

Is the chain complete? Check on https://www.ssllabs.com/ssltest/analyze.html

Otherwise known issue: Which browsers and operating systems support Let's Encrypt

Yes, Chain is complete: A ranking.

https://www.ssllabs.com/ssltest/analyze.html?viaform=on&d=marc.tv

what now?

I don’t own a PS4 so I cannot check whether PS4 doesn’t include the “DST Root CA X3” at all.

If it is really missing, why is this a problem? Other encrypted sites work on the ps4. Why not lets encrypt sites?

That’s how SSL/TLS works… The certificate chain needs to “end” in a certificate which is trusted, the so called root certificate. And these root certs are trusted, because they’re pre-installed as such. So no trusted root cert, no trusted chain and no trusted site.

I haven’t even been able to identify a programme from Sony by which roots could apply to be added to the trusted list. So basically some unknown set of roots is trusted, those work, others get the error. Nice. One more reason to avoid using your PS4 for web browsing I guess, but it does mean we can’t even begin to fix this.

There’s a fair chance it’s using (some old version of) the Mozilla NSS root list, as shipped with many Free Software operating systems and tools (and of course Firefox itself). A PS4 owner could verify that either by painstakingly testing sites which use certs from particular CAs or maybe it’s documented in the fine print somewhere.

There’s a list available in the PS4 Web Content Guidelines.

Strange thing though: Which browsers and operating systems support Let’s Encrypt says the PS3 is supported, but the root certificate list for PS3’s is even shorter, without IdenTrust’s DST Root X3-thingy : http://us.playstation.com/pscomauth/groups/public/documents/webasset/ps_web_content-guidelines_2.70.pdf

So how is that possible?

1 Like

The source for PS3 inclusion is this mailing list post, which in turn mentions this Twitter thread as a source:


There were no other mentions of Sony devices. I guess someone misread that for PS3 support.

I’ve amended the root inclusion post.

1 Like

Osiris, your phrase “PS4 Web Content Guidelines” is marked up as a link, but doesn’t lead anywhere. I guess it ought to lead to this, or something similar:

The PS3 list is very short indeed, but even for PS4 it looks like the few people who need their site to be accessible from a PS4 have a narrower choice of CA than you’d need to get good compatibility in PC or mobile browsers. I would guess that an active game developer would have better luck reaching out to Sony than ISRG or the PS4 owners but of course even if they successfully reached out today it would be months or years before Let’s Encrypt certs work in the PS4 browser.

Ugh, it specifically needed http:// in the link, that’s the right file indeed.

well let’s hope sony someday thinks about adding either identrust or ISRG root to their root stores.

As of PS4 firmware 5.00 beta, Let’s Encrypt certificates seem to be trusted and don’t throw up a warning in the web browser.

3 Likes

And the PS4 Web Content Guidelines have been updated to list the DST Root CA X3 as trusted. Still if any game developers/ publishers read this I’m sure ISRG would appreciate knowing who the right people at Sony are to talk to.