Which browsers and operating systems support Let's Encrypt

Typically the oldest extant CAs are the most widely trusted. This is because the root application processes for all the major trust stores except Mozilla’s are largely opaque and can take a very long time to complete (Apple is rumoured to be worst), and because once active support for software or hardware ceases it is impossible to get your CA added to the trust store for that software or hardware, so the set of trusted CAs becomes set in stone for older appliances.

The Verisign and Thawte roots, which date back to the fairly early days of SSL, are very widely trusted indeed. These are today both controlled by Symantec. If it is essential that every possible older device or program should work with your certificates, the relatively expensive certificates offered by Symantec may be worth it to you.

The more popular CAs do often have a list somewhere of compatible software on their “support” pages. If you’re considering purchasing a certificate from a CA you should check that the Issuer of the certificate you receive will be the exact one listed for that compatibility. Purchasing from a reseller, or discount site for a lower price doesn’t matter, so long as the certificate Issuer is the right one.

Okay, but why on hell does Apple trust LE certs for code signing and secure email (the latter also Microsoft trusts)? LE does not offer any S/MIME certs (for mail) and if you could use an LE cert to sign your software code and Apples accepts this, this would be a huge risk as well.... anybody can get LE certs and code signing certs are meant to show the author (authentication) of a software.
I also don't know what "IP security user" is, where Apple trusts LE too.

1 Like

Because the DST root is trusted for those purposes and the intermediate does not have any EKU constraints.

As I understand it Apple don’t have a very fine-grained trust system unlike Microsoft. Remember that crt.sh is only a service from Rob at Comodo, it’s not an official communication of any trust store’s policies, and Apple might internally have some mechanism that makes certificates issued by LE not work for these purposes, but equally they might not.

Although there are a lot of X.509 certificates in the world, my personal opinion is that in terms of public systems only the Web PKI (ie for TLS certificates on the public Internet) is subject to any real weight of oversight. So, if you can be trusted in the Web PKI, that’s good enough.

In the SHA-1 exception process all the payment suppliers basically keep saying, well, probably we should have some sort of trust relationships for financial stuff, but we’d have to agree what the rules were and we’ve never gotten around to it, so actually everything basically depends on the major Web PKI trust stores, Mozilla, Microsoft, Apple and Oracle. Some proprietary backend systems aren’t tied to the Web PKI, but a huge proportion of financial transaction stuff is.

Orly?

and this is one of the problems in the CA system (well rather with how it's used in the real world rather than the system itself), many certs dont get restraint where they should, beacuse if someone would be able to get a fraudulent signature they can do code signing with it even though it isnt suposed to do that in the first place.

and dont come with CT. CT just cannot work with code signing as a signed software supposed to work offline, so have fun trying that.

In order to implement the standard clients verifying a code signing certificate should verify that the code signing EKU is present in the certificate. As Let’s Encrypt does not issue these certificates (as long as clients implement the standard correctly) there is no real risk of code signed by a Let’s Encrypt certificate being trusted.

but it still should be constrained because IF anything bad happens (greetings from murphy’s law) and if such a cert appears it will be quite a problem because offline systems cant verify its revocation status.

1 Like

A post was split to a new topic: XP compatibility issues

It should be noted that the Windows XP support requiring Windows XP Service Pack 3 means that only one (x86-32) of the three (x86-32, IA-64/Itanium, x86-64) architectures for which Windows XP was released is supported because Windows XP Service Pack 3 was released only for x86-32.

Some good year-end news: Let’s Encrypt is now recognized/supported by BlackBerry 10 as of version 10.3.3.

1 Like

Confirmed as working on Netsurf 3.7, Amaya 11.3, Safari 3.1 (windows build), and Konqueror 4.8.

Opera 7 to 10 reports the certificate chain as “incomplete” but allows you to proceed anyway.
Opera 11 and over works fine.

All tested on a windows 7 pc.

Sony PSP O/CFW 6.61 (Latest version) does not work

see all root certificates flash0:/data/cert/CA_LIST.cer

CA_LIST.cer.txt (63.6 KB)

But now almost no one use the PSP to access the Internet.

Hi,

I work at Univention in Germany and wanted to add Univention Corporate Server (UCS) to the list of OS (UCS is an enterprise Linux distro based on Debian).

in UCS 4.1, apache Web servers, and Mail servers (dovecot, postfix) on top of UCS can use a “small Let’s Encrypt client” for UCS to generate and work with certificates. The script uses UCR variables (UCS configuration variables) to specify which services and on which domains the certificate is valid. And by default, a cron task will try to renew the certificate every month.

The UCS forum mentions that the script is being adapted for UCS 4.2.

Some people in the (German) forum have reported other clients like Certbot or Dehydrated to have worked for them on UCS too.

Java 8 Update 141 released 18th July 2017 now contains ISRG Root X1 directly.

1 Like

PS4 firmware 5.00 released October 3, 2017 lists the DST Root CA X3 as a trusted root and thus should work, users beta testing that version have previously reported it as working. So this should probably be updated in the official docs.

1 Like

Done, thanks!

1 Like

Here’s a list for Nintendo’s ill-fated WiiU which has an “Internet Browser”. Again DST Root CA X3 is missing so Let’s Encrypt won’t work for WiiU. I found this while researching a question by a WiiU user which seemed to indicate that might be the case.

https://www.nintendo.co.jp/hardware/wiiu/internetbrowser/browser/list_pem_wiiu.html

Since Nintendo purchases the “Internet Browser” from ACCESS Co. Limited of Japan as NetFront is it possible that ISRG can reach out to ACCESS / NetFront to get either DST Root CA X3 or ISRG Root X1 into future NetFront releases?

2 Likes

Please add the following to your list. I committed the change last year (2017). That is add ISRG Root X1 to the list of trusted CA certs:

Oracle Solaris
Version 11.4.

1 Like