If the Root CA is not in the browser no certificates based on that CA are trusted. And for older Android devices even the (established?) “DST Root CA X3” Root CA is not trusted… So, most CAs write “trusted by 99% of all devices” and list the browsers/OS where and when they got included. This would also be helpful for LE. - If your “users” mainly use older Android LE is not and will not be an option at all.
I already tried to make use of the intermediate certificate signed by the still hidden root … with mixed results. Root(s) missing, main cert chain not supported
Maybe someone can tell for what truststores and inclusion is requested?
Are there any other tracking numbers for inclusion ?
For Mozilla not in the upcomming ca list:
And also not in the included list:
=> Rejected because of the short cert lifetime
Terrific work, thank you very much for documenting this in such a clear and thorough way.
@jsha Hi would it be possible to track in an thread where letsencrypt have applyed for truststore inclusion like mozilla i mentioned under https://technet.microsoft.com/en-us/library/cc751157.aspx i found the link to http://aka.ms/rootcertapply and email@example.com and for applying. This information would maybe interesting for many people here too.
- Pre-SP3 will never work, because it lacks SHA2 support.
- SP3: Chrome and IE don’t currently work because of the name constraints on our intermediate. We’re going to take a look at whether that’s possible to work around in the long run, but for now it doesn’t work.
- Firefox works because it has its own validation code.
also one more reason is down to server configuration of ssl cipher preferences, some folks may configure their servers with ssl ciphers that don’t work with WinXP
Is there any place that collects information on whether LE is supported by various antivirus and MITM security vendors? I’ve encountered trouble with Avast. @mholt mentioned “multiple reports” about other Windows antivirus software in another thread
Would be useful to collect that info in addition to OS/browser support; we had to move off of letsencrypt for now because of trust issues with Avast.
This thread would be an appropriate place for such information. Can you provide additional details about the trouble you’ve had with Avast, including OS versions, browser versions, Avast product and version, and screenshots? Thanks!
Thanks @jsha. I made a concerted effort to reproduce the problems with Avast myself in a VM but was unable to. After following up with the client, I found that they are on Windows XP SP3, and their syptoms are consistent with the known problems above: trust problems in IE and Chrome, but working in recent Firefox.
Long story short: I think our problem was not Avast, but the fact that the client was on Windows XP SP3. In all the iterations I tested, Avast was working fine in Win7, and disabling Avast on the client’s XP SP3 machine had (unsurprisingly) no effect.
So short of @mholt’s anecdotes in the other thread, I’ve got nothing to suggest there’s a problem with Avast, even when it’s configured to MITM HTTPS connections. Sorry for the FUD.
It’s not entirely FUD. Granted, the certs used in that case were not from Let’s Encrypt, but I am still wary of MITM in general, especially antivirus software.
I’d heartily agree to that, but happy that at least as far as it looks right now, LE doesn’t appear to be “broken” by that dubious practice with Avast.
I exchanged messages with John Chen, the CEO of BlackBerry, today. BlackBerry’s security team is looking into adding support for Let’s Encrypt and recognizing the “DST Root CA X3” Root CA.
I already created a thread there: https://community.letsencrypt.org/t/inclusion-of-isrg-root/.
https://helloworld.letsencrypt.org/ works in Fedora 22 and newer as well
OS is Important if you use an Browser that does not have its own CA list.
Browser Version is Interesting with browsers having their own CA-List
that’s why I use firefox. they not only have their own certs but also NSS meaning the MS’problems are not my problems. -> TLS 1.2, AES and EC even on XP (well I dont use it but you get my point.)
Great list, MrTux, thank you! Do you plan on keeping it up to date?
If the today maintenance went well, this should work now.