Windows Phone 8.1 not trusting LE certificate


#1

Until today ar there have been zero problems with LE and I have succeeded in getting an A+ rating from SSL Labs. Today, however, I tested an LE site with a Lumia 520 test phone and IE tells me that the certificate I have installed does not come from a trusted party. The same site works fine in any other browser environment, including IE11 in Win7.

So it seems to me that the LE is not on the list of trusted parties in the Win 8.1 phone. Anybody else with Windows Phone 8.1 out there?


#2

Does the SSL Labs test or the checker at https://www.sslchecker.com/sslchecker indicate any issues with the certificate chain? (Note that a missing root is fine.) This kind of error usually shows up when you’re not sending the intermediate certificate(s).


#3

No, nothing. The Windows Phone 8.1 is the only to complain about anything. I know the chain problem which has occurred in the past with some paid certificates as far as I remember there is nothing in the report considering Letsencrypt certificates.

The same seems to be the case with all Letsencrypt test sites we have. I can, of course, give one of them public as it is already public with some nice photos :slight_smile: https://eastpointopen.com (a dog sled racing contest site).

I believe it is there is something (a lot) wrong with the Windows Phone updating the certificates. Given the state of almost all mobile operating systems this might be a false alarm as well.

EDIT: The link you gave actually complains about “root missing”. Oh, and I have been using the shell version of LE client. And I do find it funny that aside from WP there are no other systems complaining. None.


#4

Either the https://sslchecker.com/sslchecker tool is misbehaving or there must be something wrong with the LE certificate chain. Go test the chain at the example site https://helloworld.letsencrypt.org/ and it is showing the same problem with the certificate as my sites do.

Gosh this is sometimes difficult. I wish I had another Windows phone to test the site with.


#5

Your site works great for my Windows Phone 8.1 Lumia 1020 phone. So, there is no problem…


#6

Thanks A LOT, Jason! That is a true relief and a proof of my Lumia being faulty. I think I will try to restore the factory default state. http://sslchecker.com reporting probable bull-poop makes problems even more difficult to get solved.

Now I can very probably sleep my night peacefully.

Thanks again.


#7

Which is correct, although not a huge concern. If the browser/system trusts the root, it’ll have that cert already in the trust store, so you don’t need to send it. The reason for sending the intermediate is that most systems don’t store those and need help building the trust chain.

The biggest thing I can think of is a missing trust store update. Maybe the carrier didn’t push one of the updates? I wish I could help more, but I don’t have any WP devices.


#8

Yes, I have been using the chain certificate and I was actually assuming that there is something wrong with the store of the trusted certificates. The Lumia has been misbehaving in a number of ways for weeks and complaints about problems with my MS account. It may well be that the store has not been updated for months.

Due to the account problems I cannot, for instance, install the Certificates app which might show the store of certificates installed. Anyhow, I am happy to know that the problem is a very local one.

And thank you for your input as well. As for LE it is one of the best things that has happened to the Internet for years.