Universities / enterprise blocking endpoints behind a LE certificate

That domain name sends the alternate "short chain" from Let's Encrypt. Older Android devices will not connect successfully as they need the default long chain. Nor will any devices that have very old CA Root Certificate stores that do not include ISRG Root X1. This ISRG root is over 5 years old but we have seen cases of people having old stores. Often it is easy to instruct how to update those stores once the oper sys and version is known.

You must have chosen the short chain as the default from LE is the long chain such as used by this forum site. More info on those below.

Maybe switching to the long chain would help but realize there are tradeoffs. Some people that need to support a wide variety of old systems that cannot be updated have needed to use a different certificate authority (ideally a free one like ZeroSSL or others). Maybe have those people try connecting to https://letsencrypt.org and if that works the long chain would help you too.

4 Likes