cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Let's Encrypt Certificate Authority - unknown

Hello - we're seeing some sites blocked under the Unknown Certificate Authorities rule when their certs were issued by Let's Encrypt (see: Let's Encrypt - Wikipedia, the free encyclopedia​ or https://letsencrypt.org/ )

They seem to be very new and aren't in the managed lists yet.  Am wondering if it's just a case that "they aren't there yet", or if they're not there for a reason?

thanks in advance

Ronan

4 Replies

Re: Let's Encrypt Certificate Authority - unknown

We saw it also

Let's Encrypt Sites results in

CertificateChain,FirstKnownCAIsTrusted = FALSE and this results in a block page.

In case of https://www.plueto.de/

we have

IssuerLet's Encrypt Authority X3
AIA: http://cert.int-x3.letsencrypt.org/

Path #1: Trusted

https://www.ssllabs.com/ssltest/getTestTrustPath?d=www.plueto.de&s=87.163.223.37&cid=4e61ba64947bf25...1Sent by serverwww.plueto.de

Fingerprint SHA1: e6ef7935b31f38df2a676045516b1934fb28df91
Pin SHA256: DSc5/7yjIvZr19BmDJRsEzlruqWha1fav82ilI9QvJw=

RSA 2048 bits (e 65537) / SHA256withRSA2Extra downloadLet's Encrypt Authority X3

Fingerprint SHA1: e6a3b45b062d509b3382282d196efe97d5956ccb
Pin SHA256: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=

RSA 2048 bits (e 65537) / SHA256withRSA3In trust storeDST Root CA X3   Self-signed

Fingerprint SHA1: dac9024f54d8f6df94935fb1732638ca6ad77c13
Pin SHA256: Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=

RSA 2048 bits (e 65537) / SHA1withRSA

Weak or insecure signature, but no impact on root certificate

How can we trust Lets-Encrypt also?

McAfee Employee smasnizk
McAfee Employee
Report Inappropriate Content
Message 3 of 5

Re: Let's Encrypt Certificate Authority - unknown

Frank,

it it possible to create own trusted CA list where you can manage your own CA's.

Step 1

mytrustedca.JPG

Create new "MyTrusted_CA" list

Step 2

mytrustedca1.JPG

Add required Certificate to your own list. Those could be exported as example on website "www.ssllabs.com"

certpath.JPG

Each certificat is separated by "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----". You will need to create two files with separate certificate. Sample attached.

Step 3

Edit your "Certificate Chain" settings. In my case it is "default"

cert_chain.JPG

choose your recently created "MyTrusted_CA" list and save configuration.

By testing this website you will now notice you're redirected to google without any Certificate error.

-Sergej

Re: Let's Encrypt Certificate Authority - unknown

I already created such entry and all works, but why do I have to create such entry....

We trust the root CA and Lets Encrypt is trusted by DST Root CA X3. So I expect we can also trust lets encrypt automatically.

Otherwise we had to import all CAIs? This won't scale...

McAfee Employee smasnizk
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: Let's Encrypt Certificate Authority - unknown

when you check this  using openssl commands you will find incomplete certificate chain:

openssl s_client -showcerts -connect  www.plueto.de:443

CONNECTED(00000003)

depth=0 CN = www.plueto.de

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 CN = www.plueto.de

verify error:num=21:unable to verify the first certificate

verify return:1

---

Certificate chain

0 s:/CN=www.plueto.de

   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

-----BEGIN CERTIFICATE-----

MIIE/jCCA+agAwIBAgISA3CHPStjQib1TBYZbcD6jBITMA0GCSqGSIb3DQEBCwUA

MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD

ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjExMTEwNzMyMDBaFw0x

NzAyMDkwNzMyMDBaMBgxFjAUBgNVBAMTDXd3dy5wbHVldG8uZGUwggEiMA0GCSqG

SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+6NWQEbPEW79PNKiASEj8/b8OnfUvXsNQ

FC6txfiiUJMbz4mKhcWsiS2zprEef6Su+qTea5WIzXxoKQ6OvEsa+IS/RH/rQH2V

AZqCWU+kLCJ452HXjnfol4gC8a4u/FPZp/d5ius2fDZ90QaOHkbFFxXz+agBbJtw

GEVFoVVFxLEaONrgKaIGK1o7k5qUbZl27hbPSUfW7xIH2ZMURkrNoSUxchGxockW

9lhdyJh8XI6xY63Sy4l9DnFZEdpmlswXBjgHVy+WFq/IcZrehK/iJ7GqNlnw2Gzk

y5GU33KO+4MM5ofqRe9wbFt2FW/eWM8DUPLODQwsmLief/FfT9OLAgMBAAGjggIO

MIICCjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF

BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFFUd2K+UNz1ZF+K/bw+bxnQZuFax

MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMHAGCCsGAQUFBwEBBGQw

YjAvBggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9y

Zy8wLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5v

cmcvMBgGA1UdEQQRMA+CDXd3dy5wbHVldG8uZGUwgf4GA1UdIASB9jCB8zAIBgZn

gQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz

LmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmlj

YXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBh

bmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGlj

eSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzAN

BgkqhkiG9w0BAQsFAAOCAQEAPUMef7ys3xMRYnyY3dzCnFleXCjqVT99Sv8u1b4z

mdOgNP6ohd67pzSGEgVZzZ6NygCqBtENizrMFkQ6ANfEUGA/xwt/EGAIe0EagUhN

Uj3ZN7+JaKgJ6coTIvdSom0zVdqG1ZZ7B9TLbtbBm/1pI9j43oo+8/EeGe5VkyN0

cZgY4/rmVYCK0UyaC/dTZhLR/BhXB1pS+gZy3NtlJwy5P7upmiA8xhzSKk35HiSA

draybDlo2atyZi99miSg4aIX/8Syn8dg5qynEwOTYF2GC9XYPJpird7w76hOfidr

Y27V5HAD5F+yCrOKNowInIJcPUsb+3GoCt37YW2KRmYVuQ==

-----END CERTIFICATE-----

---

Server certificate

subject=/CN=www.plueto.de

issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

---

No client certificate CA names sent

Peer signing digest: SHA512

Server Temp Key: ECDH, P-256, 256 bits

---

SSL handshake has read 1957 bytes and written 415 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

    Session-ID: 7643E5CBBF0F96127934E3D7B7037C33889A1011A0E3219102689390B0F0C0B8

    Session-ID-ctx:

    Master-Key: 0708CB4DE54B312133BBB1503B0CBA78B101035675313FE0B9A89BE49FD18767B65406A1E6FFC8BD1947A0D63DF040E5

    Key-Arg   : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    TLS session ticket lifetime hint: 1800 (seconds)

    TLS session ticket:

    0000 - b6 34 6b a8 47 76 f4 93-87 c0 dd 60 92 d6 2e 63   .4k.Gv.....`...c

    0010 - 20 cb 84 9c 02 46 87 f8-0e b1 84 88 6b b9 64 56    ....F......k.dV

    0020 - aa a9 fb 84 92 83 b3 38-0a 6f de 74 d5 21 61 66   .......8.o.t.!af

    0030 - 87 6e e3 8f d9 5c da 33-7c 89 17 3a 0c 00 5e 3f   .n...\.3|..:..^?

    0040 - 88 ee ed d3 95 dd 7b 09-d5 14 d3 7f 69 89 e3 0e   ......{.....i...

    0050 - 99 ac 88 b9 42 90 7a bb-a9 b8 dc cd 37 2f 48 7b   ....B.z.....7/H{

    0060 - 0f 39 5c 86 b1 7b 95 c6-36 2d f3 15 3e 51 d3 ba   .9\..{..6-..>Q..

    0070 - 33 bc 9e 51 28 73 ea 52-fc e1 8b 4c ad 12 f5 01   3..Q(s.R...L....

    0080 - 69 9c 95 ec f6 e2 78 90-7a c4 00 83 14 31 3b 21   i.....x.z....1;!

    0090 - 96 a7 af 8d fd 28 82 9f-03 cc d7 7c f1 51 33 e8   .....(.....|.Q3.

    00a0 - 7c fb bd fc a1 dc 17 36-9e eb f5 2d 50 36 33 37   |......6...-P637

    Start Time: 1481539049

    Timeout   : 300 (sec)

    Verify return code: 21 (unable to verify the first certificate)

---

closed

-> at the end you should see 3 certificates Root CA > Intermediate CA > Server Cert.

to compare how it should look like you can check any other provider like wikipedia or google:

openssl s_client -showcerts -connect  www.wikipedia.de:443

-Sergej

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community