The answer:
Most probably the servers were up and running before âLetâs Enrcypt Authority X1â was cross-signed and accepted by major browsers. Web site was not willing to start SSL everywhere campain without using SSL on its own web site. I can perfectly understand this.
But now I would expect Letâs Encrypt would issue its own certificates for its own web sites and in this way show how much they trust its own infrastructure.
Being confident what you do, you have to do it first in order other trust what you are doing. This would in my humble opinion increate credibility.
Probably not really hard to do:
revoke existing certificates,
issue new certificates with âLetâs Encrypt Autority X1â intermediate.
Is there some other reason that I do not understand?
Revoking the old certificate wouldnât be necessary.
If LE (as CA) became ever compromised and all certificates would have to be revoked, LEâs actual domains could still be served securely, because theyâre not dependent on LEâs intermediate / root certificate.
Let me guess⌠they are using CloudFlare in front of their website !?
Itâs what Iâm also doing on my website https://www.andreagrandi.it
and if you have SSL strict activated, the COMODO ssl certificate will appear instead of the original one, if you are on the free plan.
LE's is in Public beta status for a reason - the client is still in beta
As client is still in beta, auto renewal in LE client isn't ready or done yet. I suspect they want to switch over when they can test LE client's auto renewal capabilities as well.
Well, if youâre using CloudFlareâs âprotectionâ mode, it canât really change the IP for the DNS record based on a protocol. Things just donât work that way.
You can use CF as your DNS provider and itâll work just fine direct between the client and your server. Just donât enable CFâs CDN/protection option for that DNS entry.