Recently we’re started converting our Web site to use TLS using the Let’s Encrypt site certificates. As an aside, this turned to be somewhat non-trivial, because our Web server runs on Windows, and currently the installation tutorials are written with Lunix in mind. But this is besides the point. We manged it. The work is done, the site works, and certificates update. But, in the process, we encountered a rather strange problem.
Some users reported that their browser (usually, but not always, Firefox) is complaining that the site is insecure, or untrustworthy, or misconfigured. We anaged to track the cause of the problem - the usuer didn’t have the intermediate Let’s Encrypt certificate (the one used to sign the site certificates) in their trusted store. In one case it was present in the certificate store used by Internet Explorer and Chrome (both browsers use the same one) but not in the store used by Firefox, which is why only Firefox had problems opening our site.
I created a pristine WinXP virtual machine and downloaded and installed Firefox on it. The Let’s Encrypt certificate was missing both from the IE and the Firefox stores. Performing an update of Firefox did not improve the situation.
So, my question is - where is this certificate supposed to come from? I thought that it should be installed in the IE store by Microsoft Update and in the Firefox store when updating that browser - but, apparently, this is not the case. I am pretty certain that I have not installed it manually on my computer (and especially on my mother’s computer), yet it is present there, so obviously it comes automatically from somewhere.