TLS connection to letsencrypt.org fails with Chromium and IE

#1

That’s what’s happening in Chromium and IE (on Windows 7):

Screenshot.png1327×755 90.2 KB

It claims the root cert is missing:

Note that Firefox shows another certificate hierarchy:

The letsencrypt.org cert sent seems to be valid as it’s the same also received by Firefox:

-----BEGIN CERTIFICATE-----
MIIHAjCCBeqgAwIBAgIQfwAAAQAAAUtRVNy9a8fMcDANBgkqhkiG9w0BAQsFADBa
MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MRcwFQYDVQQLEw5UcnVz
dElEIFNlcnZlcjEeMBwGA1UEAxMVVHJ1c3RJRCBTZXJ2ZXIgQ0EgQTUyMB4XDTE1
MDIwMzIxMjQ1MVoXDTE4MDIwMjIxMjQ1MVowfzEYMBYGA1UEAxMPbGV0c2VuY3J5
cHQub3JnMSkwJwYDVQQKEyBJTlRFUk5FVCBTRUNVUklUWSBSRVNFQVJDSCBHUk9V
UDEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzETMBEGA1UECBMKQ2FsaWZvcm5pYTEL
MAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGE6T8
LcmS6g8lH/1Y5orXeZOva4gthrS+VmJUWlz3K4Er5q8CmVFTmD/rYL6tA31JYCAi
p2bVQ8z/PgWYGosuMzox2OO9MqnLwTTG074sCHTZi4foFb6KacS8xVu25u8RRBd8
1WJNlw736FO0pJUkkE3gDSPz1QTpw3gc6n7SyppaFr40D5PpK3PPoNCPfoz2bFtH
m2KRsUH924LRfitUZdI68kxJP7QG1SAbdZxA/qDcfvDSgCYW5WNmMKS4v+GHuMkJ
gBe20tML+hItmF5S9mYm/GbkFLG8YwWZrytUZrSjxmuL9nj3MaBrAPQw3/T582ry
KM8+z188kbnA7A+BAgMBAAGjggOdMIIDmTAOBgNVHQ8BAf8EBAMCBaAwggInBgNV
HSAEggIeMIICGjCCAQsGCmCGSAGG+S8ABgMwgfwwQAYIKwYBBQUHAgEWNGh0dHBz
Oi8vc2VjdXJlLmlkZW50cnVzdC5jb20vY2VydGlmaWNhdGVzL3BvbGljeS90cy8w
gbcGCCsGAQUFBwICMIGqGoGnVGhpcyBUcnVzdElEIFNlcnZlciBDZXJ0aWZpY2F0
ZSBoYXMgYmVlbiBpc3N1ZWQgaW4gYWNjb3JkYW5jZSB3aXRoIElkZW5UcnVzdCdz
IFRydXN0SUQgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vc2Vj
dXJlLmlkZW50cnVzdC5jb20vY2VydGlmaWNhdGVzL3BvbGljeS90cy8wggEHBgZn
gQwBAgIwgfwwQAYIKwYBBQUHAgEWNGh0dHBzOi8vc2VjdXJlLmlkZW50cnVzdC5j
b20vY2VydGlmaWNhdGVzL3BvbGljeS90cy8wgbcGCCsGAQUFBwICMIGqGoGnVGhp
cyBUcnVzdElEIFNlcnZlciBDZXJ0aWZpY2F0ZSBoYXMgYmVlbiBpc3N1ZWQgaW4g
YWNjb3JkYW5jZSB3aXRoIElkZW5UcnVzdCdzIFRydXN0SUQgQ2VydGlmaWNhdGUg
UG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vc2VjdXJlLmlkZW50cnVzdC5jb20vY2Vy
dGlmaWNhdGVzL3BvbGljeS90cy8wHQYDVR0OBBYEFNLAuFI2ugD0U24OgEPtX6+p
/xJQMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly92YWxpZGF0aW9uLmlkZW50cnVz
dC5jb20vY3JsL3RydXN0aWRjYWE1Mi5jcmwwgYQGCCsGAQUFBwEBBHgwdjAwBggr
BgEFBQcwAYYkaHR0cDovL2NvbW1lcmNpYWwub2NzcC5pZGVudHJ1c3QuY29tMEIG
CCsGAQUFBzAChjZodHRwOi8vdmFsaWRhdGlvbi5pZGVudHJ1c3QuY29tL2NlcnRz
L3RydXN0aWRjYWE1Mi5wN2MwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
MB8GA1UdIwQYMBaAFKJWJDzQ1BW56L94oxMQWEguFlThMC8GA1UdEQQoMCaCD2xl
dHNlbmNyeXB0Lm9yZ4ITd3d3LmxldHNlbmNyeXB0Lm9yZzANBgkqhkiG9w0BAQsF
AAOCAQEAgEmnzpYncB/E5SCHa5cnGorvNNE6Xsp3YXK9fJBT2++chQTkyFYpE12T
TR+cb7CTdRiYErNHXV8Hl/XTK8mxGxK8KXM9zUDlfrl7yBnyGTl2Sk8qJwA2kGuu
X9KA1o3MFkKMD809ITAlvPoQpml1Ke0aFo4NLO/LJKnJpkyF8L+JQrkfLNHpKYn3
PvnyJnurVTXDOIwQw8HVXbw6UKAad87e1hKGLYOpsaaKCLaNw1vg8uI+O9mv1MC6
FTfP1pSlr11s+Ih4YancuJud41rT8lXCUbDs1Uws9pPdVzLt8zk5M0vbHmTCljbg
UC5XkUmEvadMfgWslIQD0r6+BRRS+A==
-----END CERTIFICATE-----

Additionally in IE the site seems to be a bitz broken as the Let’s Encrypt logo seem to be a bit shrinked:

LoadedSItEScreenshot.PNG1578×1018 400 KB

BTW I’ve created a Wireshark log so if you need I could send to you.

Tested using:

Chromium.PNG761×580 44.4 KB

Will the cross root cover trust by the default list in the JDK/JRE?
[OffTopic] CSR Harmony Wireless Software Stack injects weak root certificate into trust store
#2

Everyone who like this? Do you liked this, because you can confirm this issue?
(Can still reproduce it)

And I’m still waiting for a official reply from Let’s Encrypt about this issue.

#3

Seems fine here with Window 8.1 Pro 64-bit, IE 11.

Snap1.jpg558×736 47.5 KB

#4

Looks fine in IE11 on windows 7

#5

Do you have antivirus software running? I’ve seen multiple reports in just the last few days that antivirus software on Windows (notably Avast) has caused similar problems accessing some websites.

Also, any HTTPS intercepting software (MITM proxy) can cause this to happen - I’ve seen it before.

Which browsers and operating systems support Let's Encrypt
#6

seems fine on Win 8 64bit in Opera 32 and Chrome 46

#7

Yeah, looks like you’re missing the IdenTrust CA cert.

#8

I have AV software running, but SSL interception deactivated.

#9

Yes, in fact it seems like this. I could download it and that may solve the probloem.
And looking into certmgr.msc in fact reveals that this root cert is not there. However I did not deleted it, so I have no idea why it’s gone.
Anyway in a fresh VM with Windows 7 DST Root CA X3 is in the list of root certificates, so this is not a problem for many users AFAIK.

#10

Finally I found the issue now…

It was caused by a setting I had modified. I disabled “Automatic Root Certificates Update” (link 2) which is a technology of Windows to fetch missing root certificates from the Windows update servers to import them into the root certificate store.
This “root certificate lookup” is done when a website sends a not trusted certificate when it is visited. And IdenTrusts root cert seems to be part of this root certs which are not included by Windows “natively”. After re-enabling this option the connection was successfully established and I could find the DST Root CA X3 in the trust store.

More information in this (quite old) article of a German magazine (english translation). I could not find a nice English article about this now, sorry.

Issue fixed. (at least I know the cause)

CERT_AUTHORITY_INVALID in XP SP3
Google, Opera and Explorer https malfunction
#12