Look at the intermediate certificates for this two domains:
- letsencrypt.org: TrustID Server Ca A52
- community.letsencrypt.org: COMODO RSA Domain Validation Secure Server CA
The only domain using its own certificate is:
helloworld.letsencrypt.org: Let’s Encrypt Authority X1
Most probably the servers were up and running before “Let’s Enrcypt Authority X1” was cross-signed and accepted by major browsers. Web site was not willing to start SSL everywhere campain without using SSL on its own web site. I can perfectly understand this.
But now I would expect Let’s Encrypt would issue its own certificates for its own web sites and in this way show how much they trust its own infrastructure.
Being confident what you do, you have to do it first in order other trust what you are doing. This would in my humble opinion increate credibility.
Probably not really hard to do:
- revoke existing certificates,
- issue new certificates with “Let’s Encrypt Autority X1” intermediate.
Is there some other reason that I do not understand?