Which browsers and operating systems support Let's Encrypt

mrtux 2015-11-24 16:51:02 UTC #3

If the Root CA is not in the browser no certificates based on that CA are trusted. And for older Android devices even the (established?) "DST Root CA X3" Root CA is not trusted... So, most CAs write "trusted by 99% of all devices" and list the browsers/OS where and when they got included. This would also be helpful for LE. - If your "users" mainly use older Android LE is not and will not be an option at all.

ecdsa-chacha20 2015-11-24 17:38:21 UTC #4

I already tried to make use of the intermediate certificate signed by the still hidden root … with mixed results. https://community.letsencrypt.org/t/root-s-missing-main-cert-chain-not-supported/3191/2?u=ecdsa-chacha20

tlussnig 2015-11-30 22:41:40 UTC #7

Maybe someone can tell for what truststores and inclusion is requested?
- https://bugzilla.mozilla.org/show_bug.cgi?id=1204656
Are there any other tracking numbers for inclusion ?
For Mozilla not in the upcomming ca list:
- https://mozillacaprogram.secure.force.com/CA/UpcomingRootInclusionsReport
And also not in the included list:
- https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport

https://github.com/MoonchildProductions/Pale-Moon/issues/171
=> Rejected because of the short cert lifetime

jsha 2015-12-01 02:30:35 UTC #8

Terrific work, thank you very much for documenting this in such a clear and thorough way.

tlussnig 2015-12-01 07:20:24 UTC #9

@jsha Hi would it be possible to track in an thread where letsencrypt have applyed for truststore inclusion like mozilla i mentioned under https://technet.microsoft.com/en-us/library/cc751157.aspx i found the link to http://aka.ms/rootcertapply and trustcert@microsoft.com and for applying. This information would maybe interesting for many people here too.

jsha 2015-12-03 05:29:26 UTC #10

Windows XP:
- Pre-SP3 will never work, because it lacks SHA2 support.
- SP3: Chrome and IE don't currently work because of the name constraints on our intermediate. We're going to take a look at whether that's possible to work around in the long run, but for now it doesn't work.
- Firefox works because it has its own validation code.

[Help needed] Windows XP support

Windows Live Mail revocation warning

eva2000 2015-12-03 05:39:17 UTC #11

also one more reason is down to server configuration of ssl cipher preferences, some folks may configure their servers with ssl ciphers that don't work with WinXP

jsha 2015-12-08 05:25:24 UTC #13

cdetar 2016-01-08 00:33:04 UTC #14

Is there any place that collects information on whether LE is supported by various antivirus and MITM security vendors? I've encountered trouble with Avast. @mholt mentioned "multiple reports" about other Windows antivirus software in another thread

Would be useful to collect that info in addition to OS/browser support; we had to move off of letsencrypt for now because of trust issues with Avast.

jsha 2016-01-08 22:50:11 UTC #15

This thread would be an appropriate place for such information. Can you provide additional details about the trouble you've had with Avast, including OS versions, browser versions, Avast product and version, and screenshots? Thanks!

cdetar 2016-01-11 18:33:49 UTC #16

Thanks @jsha. I made a concerted effort to reproduce the problems with Avast myself in a VM but was unable to. After following up with the client, I found that they are on Windows XP SP3, and their syptoms are consistent with the known problems above: trust problems in IE and Chrome, but working in recent Firefox.

Long story short: I think our problem was not Avast, but the fact that the client was on Windows XP SP3. In all the iterations I tested, Avast was working fine in Win7, and disabling Avast on the client's XP SP3 machine had (unsurprisingly) no effect.

So short of @mholt's anecdotes in the other thread, I've got nothing to suggest there's a problem with Avast, even when it's configured to MITM HTTPS connections. Sorry for the FUD.

mholt 2016-01-11 18:47:32 UTC #17

It's not entirely FUD. Granted, the certs used in that case were not from Let's Encrypt, but I am still wary of MITM in general, especially antivirus software.

cdetar 2016-01-11 19:27:53 UTC #18

I'd heartily agree to that, but happy that at least as far as it looks right now, LE doesn't appear to be "broken" by that dubious practice with Avast.

avi 2016-01-24 22:29:59 UTC #19

I exchanged messages with John Chen, the CEO of BlackBerry, today. BlackBerry's security team is looking into adding support for Let's Encrypt and recognizing the "DST Root CA X3" Root CA.

Inclusion of ISRG Root

Jason 2016-01-25 09:16:11 UTC #20

I already created a thread there: https://community.letsencrypt.org/t/inclusion-of-isrg-root/.

Linux distro compatibilty as client

till 2016-01-25 20:39:14 UTC #21

https://helloworld.letsencrypt.org/ works in Fedora 22 and newer as well

tlussnig 2016-01-26 07:49:27 UTC #22

OS is Important if you use an Browser that does not have its own CA list.
Browser Version is Interesting with browsers having their own CA-List

My1 2016-01-26 08:41:00 UTC #23

that's why I use firefox. they not only have their own certs but also NSS meaning the MS'problems are not my problems. -> TLS 1.2, AES and EC even on XP (well I dont use it but you get my point.)

Gaia 2016-03-24 20:35:47 UTC #24

Great list, MrTux, thank you! Do you plan on keeping it up to date?

Nit 2016-03-25 21:50:18 UTC #25

If the today maintenance went well, this should work now.