The answer:
Most probably the servers were up and running before “Let’s Enrcypt Authority X1” was cross-signed and accepted by major browsers. Web site was not willing to start SSL everywhere campain without using SSL on its own web site. I can perfectly understand this.
But now I would expect Let’s Encrypt would issue its own certificates for its own web sites and in this way show how much they trust its own infrastructure.
Being confident what you do, you have to do it first in order other trust what you are doing. This would in my humble opinion increate credibility.
Probably not really hard to do:
revoke existing certificates,
issue new certificates with “Let’s Encrypt Autority X1” intermediate.
Is there some other reason that I do not understand?
Revoking the old certificate wouldn’t be necessary.
If LE (as CA) became ever compromised and all certificates would have to be revoked, LE’s actual domains could still be served securely, because they’re not dependent on LE’s intermediate / root certificate.
Let me guess… they are using CloudFlare in front of their website !?
It’s what I’m also doing on my website https://www.andreagrandi.it
and if you have SSL strict activated, the COMODO ssl certificate will appear instead of the original one, if you are on the free plan.
LE's is in Public beta status for a reason - the client is still in beta
As client is still in beta, auto renewal in LE client isn't ready or done yet. I suspect they want to switch over when they can test LE client's auto renewal capabilities as well.
Well, if you’re using CloudFlare’s “protection” mode, it can’t really change the IP for the DNS record based on a protocol. Things just don’t work that way.
You can use CF as your DNS provider and it’ll work just fine direct between the client and your server. Just don’t enable CF’s CDN/protection option for that DNS entry.
!?
