I require general assistance with a problem I’ve been having NOT with generating certificates, but with the way LetsEncrypt chain validation is occurring, and I can demonstrate this problem using Windows Server 2012 R2 Standard.
If I access the LetsEncrypt test site (https://valid-isrgrootx1.letsencrypt.org/) from a non server OS (Windows 10) using Chrome, the certificate is reported as valid.
However, if I access the same test site from any Server OS (have tried a few) but for argument’s sake Windows Server 2012 R2 Standard using Chrome, I get the following certificate issue
“The certificate cannot be verified up to a trusted certification authority”
I notice that there are two Certificate Paths for that test site (using ssllabs): #1 is Not Trusted (using the LetsEncrypt non cross signed intermediate). #2 is Trusted (using the IdenTrust cross signed intermediate).
So, I’m wondering if Windows Server OS’s handle certificate validation differently from Windows Desktop OS’s. Also, is there anything that can be done either by LetsEncrypt, or failing that, us (other than installing the LetsEncypt root on all server OS machines), to prevent this issue?
It’s my understanding that the IdenTrust certificate has been widely distributed for a number of years, but that the LetsEncrypt root is not yet widely distributed (I think the only place I know that it gets distributed is Firefox version 50 and above).