Valid-isrgrootx1.letsencrypt.org is serving the wrong intermediate

I have not been able to access the test server (https://valid-isrgrootx1.letsencrypt.org/) from an Android app on any version of Android (7.0 & 11) with or without the network-security-config and okHttp fixes. However, I can access the test server from a Chrome browser on every version of Android I have tried including Android 7. Is anybody else having the same problem? The error is "Trust anchor for certification path not found."

2 Likes

Just noticed similar thing and was debugging. Not sure why.

New certs? who dis? https://crt.sh/?q=valid-isrgrootx1.letsencrypt.org

1 Like

I can confirm this on my end too. Seems like new certs :man_facepalming:

2 Likes

The valid-isrgrootx1 system is sending the wrong intermediate. (The leaf is signed by R3, but it's sending the LE Authority X3 intermediate.)

openssl s_client -connect valid-isrgrootx1.letsencrypt.org:443
Certificate chain
 0 s:CN = valid-isrgrootx1.letsencrypt.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1

@lestaff: I think your official "valid ISRG Root X1" server is incorrectly configured.

4 Likes

Thank you all for the report and verification, we're on it.

3 Likes

Looks fixed. A good way to start a Friday!

5 Likes

It does looks fixed to me now, thank you for the quick response.

At the risk of being a troublemaker here, is this considered an "incident"? I know that CAB requires an official "valid" server (and it's referenced in CP v2.5 section 2.2), but I don't know as "100% uptime" is actually a requirement. It is a bit disconcerting, though, that people were having trouble validating their applications because Let's Encrypt itself wasn't handling its new intermediate correctly, similarly to if the organization hadn't noticed one of its certificates expiring.

1 Like

I'd think this is possibly more akin to an availability outage, like if the certificate issuance function went down unexpectedly for a period of time.

That makes sense. It's probably the kind of thing where being down for 90 days would be a big deal, being down for 90 seconds would be irrelevant, and the "line" may be somewhere in-between but is somewhat fuzzy and "I know it when I see it". I just thought OCSP going down can be an "incident", and I didn't know if this was similar. Thanks!

1 Like

Well, my view isn't an official Let's Encrypt position, but that's my guess. :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.