Re: LetsEncrypt certificate is not recognized by Chrome Android 6.0.1/5.0.2

From: Lucas Garron <creasepattern@xxxxxxxxx>
To: Timothy Holborn <timothy.holborn@xxxxxxxxx>, Vladimir Djukelic <vladimir@xxxxxxxxxxxx>, Michel Kuijpers <michel@xxxxxxxxxxxx>, Jeroen de Neef <jeroen52@xxxxxxxxx>
CC: Daniel Reynolds <daniel7reynolds@xxxxxxxxx>, Josh Aas <josh@xxxxxxxxxxxxxxx>, Kaiduan Xie <kaiduanx@xxxxxxxxx>, "Let's Encrypt CA Development" <ca-dev@xxxxxxxxxxxxxxx>, "Let's Encrypt Client Development" <client-dev@xxxxxxxxxxxxxxx>, Melvin Carvalho <melvincarvalho@xxxxxxxxx>, 蔡崴丞 <danny8376@xxxxxxxxx>
Date: Mon, 16 May 2016 18:58:44 +0000
Why ads?
The whole point of Let's Encrypt is to provide a free CA that works
*without* users having to do anything.
Also, to take one example, Chrome uses the OS trust store, so it's not
straightforward to just "add the root to modern browsers".

In any case, the problem with helloworld.letsencrypt.org has nothing to do
with the root(s), since the Let's Encrypt X1 is actually signed by both the
ISRG root and the IdenTrust root <https://letsencrypt.org/certificates/>.
In order to use the current leaf cert, the site needs to serve the Let's
Encrypt X1 cert as an intermediate, as suggested by the SSL Labs scanner:
https://www.ssllabs.com/ssltest/analyze.html?viaform=on&d=helloworld.letsencrypt.org

This will make it work on the Android devices mentioned in this thread, as
well as any other devices that don't support AIA
<https://www.google.com/search?q=Authority+Information+Access&oq=Authority+Information+Access&aqs=chrome..69i57j69i60.158j0j4&sourceid=chrome&ie=UTF-8>
.
»Lucas

On Sun, May 15, 2016 at 11:09 AM Timothy Holborn <timothy.holborn@xxxxxxxxx>
wrote:

how about making a little promo video / campaign explaining for lay people
what it is and how to install. perhaps also browser extension that could
help if for some reason  (ie: s/w update) the install needs to occur again.

Might also be useful for decentralization generally, but would want to
have some means to manage trust with any such tools broadly.

TimH..


On Mon, 16 May 2016 4:05 AM Vladimir Djukelic <vladimir@xxxxxxxxxxxx>
wrote:

DOES NOT work on Safari Version 9.1 (11601.5.17.1) on Mac OS X El
Capitan 10.11.4 (15E65)
Screenshot:
https://www.dropbox.com/s/wc5jpa7zmgmmpe0/Screenshot%202016-05-15%2019.52.23.png?dl=0

DOES WORK on Chrome Version 50.0.2661.102 (64-bit) on Mac OS X El
Capitan 10.11.4 (15E65)
Screenshot:
https://www.dropbox.com/s/joauiu8tze6jcw3/Screenshot%202016-05-15%2019.55.21.png?dl=0
About Chrome Screenshot:
https://www.dropbox.com/s/trzrqgaqdd0jo26/Screenshot%202016-05-15%2019.58.55.png?dl=0



On Sun, May 15, 2016 at 7:42 PM Michel Kuijpers <michel@xxxxxxxxxxxx>
wrote:

also doesn’t work on my MacBook Pro (10.11.4 (15E65)) in Safari (Version
9.1 (11601.5.17.1)) but it works in Chrome (Version 50.0.2661.102
(64-bit))

Groeten en een fijne dag,
Michel
-=-=-=-=-=-=-=-

Met vriendelijke groet,
Michel Kuijpers
-------------------------------------
Du-llens Fotografie en Websolutions
URL: http://www.du-llens.net
Email: michel@xxxxxxxxxxxx
Mobiel: 06-23977966
-------------------------------------

On 15 May 2016, at 18:22, Jeroen de Neef <jeroen52@xxxxxxxxx> wrote:

It doesn't work for me on Windows 7, Google Chrome version 50.0.2661.102
m.

2016-05-15 17:44 GMT+02:00 Daniel Reynolds <daniel7reynolds@xxxxxxxxx>:

It works on Chrome for iOS for me.


On Sun, May 15, 2016 at 8:17 AM, Timothy Holborn <
timothy.holborn@xxxxxxxxx> wrote:

doesn't work on my android device.

On Sun, 15 May 2016 8:58 PM Melvin Carvalho <melvincarvalho@xxxxxxxxx>
wrote:

On 15 May 2016 at 07:24, 蔡崴丞 <danny8376@xxxxxxxxx> wrote:

It's using X1 signed by ISRG Root,which isn't included in most
browser.

Works for me on chrome, firefox, opera (desktop)


Kaiduan Xie <kaiduanx@xxxxxxxxx> 於 2016年5月15日 週日 下午1:07 寫道:

Josh,

I suddenly found that https://helloworld.letsencrypt.org was
determined by not private on Chrome on Android 6.0.1/5.0.2 today. This is a
very big nasty surprise :(

What has changed on Android side?

Thanks for help,

/Kaiduan

--
You received this message because you are subscribed to the Google
Groups "Let's Encrypt Client Development" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to client-dev+unsubscribe@xxxxxxxxxxxxxxx.
To post to this group, send email to client-dev@xxxxxxxxxxxxxxx.
To view this discussion on the web visit
https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/CACKRbQeS3MPr_p8EASsJ_LaQgQ6bx4td5f8DjjW_qHVYkpqFng%40mail.gmail.com
<https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/CACKRbQeS3MPr_p8EASsJ_LaQgQ6bx4td5f8DjjW_qHVYkpqFng%40mail.gmail.com?utm_medium=email&utm_source=footer>
.


--
You received this message because you are subscribed to the Google
Groups "Let's Encrypt CA Development" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to ca-dev+unsubscribe@xxxxxxxxxxxxxxx.


--
You received this message because you are subscribed to the Google
Groups "Let's Encrypt CA Development" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to ca-dev+unsubscribe@xxxxxxxxxxxxxxx.


--
You received this message because you are subscribed to the Google
Groups "Let's Encrypt Client Development" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to client-dev+unsubscribe@xxxxxxxxxxxxxxx.
To post to this group, send email to client-dev@xxxxxxxxxxxxxxx.
To view this discussion on the web visit
https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/CAM1Sok2L8vEe0ZfnkOy8f6u2d-9V1vGwQErVu5PZAJXYV0UyjQ%40mail.gmail.com
<https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/CAM1Sok2L8vEe0ZfnkOy8f6u2d-9V1vGwQErVu5PZAJXYV0UyjQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
.


--
You received this message because you are subscribed to the Google
Groups "Let's Encrypt Client Development" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to client-dev+unsubscribe@xxxxxxxxxxxxxxx.
To post to this group, send email to client-dev@xxxxxxxxxxxxxxx.
To view this discussion on the web visit
https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/1463327087957-469b8133-11e51891-52c8c840%40gmail.com
<https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/1463327087957-469b8133-11e51891-52c8c840%40gmail.com?utm_medium=email&utm_source=footer>
.



--
You received this message because you are subscribed to the Google
Groups "Let's Encrypt Client Development" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to client-dev+unsubscribe@xxxxxxxxxxxxxxx.
To post to this group, send email to client-dev@xxxxxxxxxxxxxxx.
To view this discussion on the web visit
https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/CALXQekuEUvxa%3DaKezWEAMtcNVkEEV-Y-AQmdoCSooy3fJaQt3Q%40mail.gmail.com
<https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/CALXQekuEUvxa%3DaKezWEAMtcNVkEEV-Y-AQmdoCSooy3fJaQt3Q%40mail.gmail.com?utm_medium=email&utm_source=footer>
.


--
You received this message because you are subscribed to the Google
Groups "Let's Encrypt Client Development" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to client-dev+unsubscribe@xxxxxxxxxxxxxxx.
To post to this group, send email to client-dev@xxxxxxxxxxxxxxx.

To view this discussion on the web visit
https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/BA4220B3-A864-4797-98D8-F3B574E8085C%40du-llens.net
<https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/BA4220B3-A864-4797-98D8-F3B574E8085C%40du-llens.net?utm_medium=email&utm_source=footer>
.

--
You received this message because you are subscribed to the Google Groups
"Let's Encrypt CA Development" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ca-dev+unsubscribe@xxxxxxxxxxxxxxx.


-- 
You received this message because you are subscribed to the Google Groups "Let's Encrypt Client Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to client-dev+unsubscribe@xxxxxxxxxxxxxxx.
To post to this group, send email to client-dev@xxxxxxxxxxxxxxx.
To view this discussion on the web visit https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/CAO6LD_Au5Y42N61Z4ms8FgHFOfF%3DCBaxfged6-a7-T4XtO3SKg%40mail.gmail.com.
Why ads?