Where does the Let's Encrypt intermediate certificate come from?


#1

Hello folks,

Recently we’re started converting our Web site to use TLS using the Let’s Encrypt site certificates. As an aside, this turned to be somewhat non-trivial, because our Web server runs on Windows, and currently the installation tutorials are written with Lunix in mind. But this is besides the point. We manged it. The work is done, the site works, and certificates update. But, in the process, we encountered a rather strange problem.

Some users reported that their browser (usually, but not always, Firefox) is complaining that the site is insecure, or untrustworthy, or misconfigured. We anaged to track the cause of the problem - the usuer didn’t have the intermediate Let’s Encrypt certificate (the one used to sign the site certificates) in their trusted store. In one case it was present in the certificate store used by Internet Explorer and Chrome (both browsers use the same one) but not in the store used by Firefox, which is why only Firefox had problems opening our site.

I created a pristine WinXP virtual machine and downloaded and installed Firefox on it. The Let’s Encrypt certificate was missing both from the IE and the Firefox stores. Performing an update of Firefox did not improve the situation.

So, my question is - where is this certificate supposed to come from? I thought that it should be installed in the IE store by Microsoft Update and in the Firefox store when updating that browser - but, apparently, this is not the case. I am pretty certain that I have not installed it manually on my computer (and especially on my mother’s computer), yet it is present there, so obviously it comes automatically from somewhere.

Any ideas?


#2

Yeah, that means you aren’t serving the intermediate. The official client creates a fullchain.pem file which is what you want. The chain.pem file is always the same, I think, so you can probably just steal that file from any installation and concatenate it with your certificate.


#3

Your server.

Operating systems and/or clients will have a root certificate store. These certificates will be used to validate the end of a certificate chain. For best compatibility, your server will need to serve also the intermediate certificate(s), otherwise some clients might complain… (As a matter of fact, the client could download the intermediate according to the information provided in the leaf certificate, but it seems not every client will do that…)

See the info provided by @riking for more info about the specific Let’s Encrypt semi-specific filenames.


#4

Thanks for the tip. Indeed, we were not appending the intermediate certificate. OK, we changed that and are now doing it. However, it still doesn’t work on my virtual machine. :frowning: The FAQ says something about WinXP being problematic (although my mother’s computer uses WinXP and the site in question works fine on it), so I tried a Linux virtual machine with Firefox - and, again, the site doesn’t work properly there. :frowning:

The site is https://madmaxsoft.net - can you check what is wrong with the certificate it serves?


#5

Nevermind, we had forgotten to restart the server. Works now. Thank you for your help, folks.


#6

Windows XP with Firefox works. XP with browsers that uses schannel (Internet Explorer, Chrome, …) won’t work.