Due to “Transitioning to ISRG’s Root” I tested my IoT devices by connecting to the https://valid-isrgrootx1.letsencrypt.org/ . As expected, “TrustID X3 Root” - failed; “ISRG Root X1” - connected. But my device also connected with “Let’s Encrypt Authority X3 (IdenTrust cross-signed)”
Is it OK, or i have problem with my ssl client?
Do you mean the other way around?
It is surprising that TrustID X3 would fail and ISRG Root X1 wouldn’t.
The TrustID X3 root is more widely trusted.
As I understand it, this is a special test site for “ISRG Root X1” and TrustID X3 Root shouldn’t work
The https://valid-isrgrootx1.letsencrypt.org test site uses the ISRG Root X1, which is not used by the default certificate chain yet, but will be soon.
Right now, the default chain uses TrustID X3 Root (a.k.a DST Root CA X3), including this website and https://helloworld.letsencrypt.org. (This is the same as “IdenTrust cross-signed”).
If your IOT device can connect to both sites, everything is OK.
If your IOT device can only connect to the second website, then you may need to do something about it.
I’m sorry I badly formulated my question
Should “Let’s Encrypt Authority X3 (IdenTrust cross-signed)” work with https://valid-isrgrootx1.letsencrypt.org or it should fail?
The question doesn’t make sense to me, sorry. That site does not use the cross-signed intermediate certificate. I’m not sure what the meaning of “work” and “fail” is in this context.
Fail : SSL handshake fail - Certificate verification failed
Work : SSL handshake OK
Right, but how does the cross-signed certificate relate to the test website? It doesn’t use it.
If it did use it, it would be the same configuration as https://helloworld.letsencrypt.org.
As a web server admin, you can use either the cross-signed intermediate certificate (issued by TrustID X3 Root), or the intermediate certificate issued by ISRG Root X1.
They are substitutes for each other.
What is the underlying problem you are trying to solve? Is it about what certificates your IOT devices should trust?
My test show that when i use “Let’s Encrypt Authority X3 (IdenTrust cross-signed)”, certificate verification pass successfully. If it should pass successfully, I don’t have any problem. If it shouldn’t, i have strange behavior of my ssl client
I’m not sure what it says about me that I read this as valid-is Groot…
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.