Showing results for 
Search instead for 
Did you mean: 

Let's Encrypt Certificate Authority - unknown

Hello - we're seeing some sites blocked under the Unknown Certificate Authorities rule when their certs were issued by Let's Encrypt (see: Let's Encrypt - Wikipedia, the free encyclopedia​ or )

They seem to be very new and aren't in the managed lists yet.  Am wondering if it's just a case that "they aren't there yet", or if they're not there for a reason?

thanks in advance


4 Replies

Re: Let's Encrypt Certificate Authority - unknown

We saw it also

Let's Encrypt Sites results in

CertificateChain,FirstKnownCAIsTrusted = FALSE and this results in a block page.

In case of

we have

IssuerLet's Encrypt Authority X3

Path #1: Trusted by

Fingerprint SHA1: e6ef7935b31f38df2a676045516b1934fb28df91
Pin SHA256: DSc5/7yjIvZr19BmDJRsEzlruqWha1fav82ilI9QvJw=

RSA 2048 bits (e 65537) / SHA256withRSA2Extra downloadLet's Encrypt Authority X3

Fingerprint SHA1: e6a3b45b062d509b3382282d196efe97d5956ccb
Pin SHA256: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=

RSA 2048 bits (e 65537) / SHA256withRSA3In trust storeDST Root CA X3   Self-signed

Fingerprint SHA1: dac9024f54d8f6df94935fb1732638ca6ad77c13
Pin SHA256: Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=

RSA 2048 bits (e 65537) / SHA1withRSA

Weak or insecure signature, but no impact on root certificate

How can we trust Lets-Encrypt also?

McAfee Employee smasnizk
McAfee Employee
Report Inappropriate Content
Message 3 of 5

Re: Let's Encrypt Certificate Authority - unknown


it it possible to create own trusted CA list where you can manage your own CA's.

Step 1


Create new "MyTrusted_CA" list

Step 2


Add required Certificate to your own list. Those could be exported as example on website ""


Each certificat is separated by "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----". You will need to create two files with separate certificate. Sample attached.

Step 3

Edit your "Certificate Chain" settings. In my case it is "default"


choose your recently created "MyTrusted_CA" list and save configuration.

By testing this website you will now notice you're redirected to google without any Certificate error.


Re: Let's Encrypt Certificate Authority - unknown

I already created such entry and all works, but why do I have to create such entry....

We trust the root CA and Lets Encrypt is trusted by DST Root CA X3. So I expect we can also trust lets encrypt automatically.

Otherwise we had to import all CAIs? This won't scale...

McAfee Employee smasnizk
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: Let's Encrypt Certificate Authority - unknown

when you check this  using openssl commands you will find incomplete certificate chain:

openssl s_client -showcerts -connect


depth=0 CN =

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 CN =

verify error:num=21:unable to verify the first certificate

verify return:1


Certificate chain

0 s:/

   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3































Server certificate


issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3


No client certificate CA names sent

Peer signing digest: SHA512

Server Temp Key: ECDH, P-256, 256 bits


SSL handshake has read 1957 bytes and written 415 bytes


New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated


    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

    Session-ID: 7643E5CBBF0F96127934E3D7B7037C33889A1011A0E3219102689390B0F0C0B8


    Master-Key: 0708CB4DE54B312133BBB1503B0CBA78B101035675313FE0B9A89BE49FD18767B65406A1E6FFC8BD1947A0D63DF040E5

    Key-Arg   : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    TLS session ticket lifetime hint: 1800 (seconds)

    TLS session ticket:

    0000 - b6 34 6b a8 47 76 f4 93-87 c0 dd 60 92 d6 2e 63   .4k.Gv.....`...c

    0010 - 20 cb 84 9c 02 46 87 f8-0e b1 84 88 6b b9 64 56    ....F......k.dV

    0020 - aa a9 fb 84 92 83 b3 38-0a 6f de 74 d5 21 61 66   .......8.o.t.!af

    0030 - 87 6e e3 8f d9 5c da 33-7c 89 17 3a 0c 00 5e 3f   .n...\.3|..:..^?

    0040 - 88 ee ed d3 95 dd 7b 09-d5 14 d3 7f 69 89 e3 0e   ......{.....i...

    0050 - 99 ac 88 b9 42 90 7a bb-a9 b8 dc cd 37 2f 48 7b   ....B.z.....7/H{

    0060 - 0f 39 5c 86 b1 7b 95 c6-36 2d f3 15 3e 51 d3 ba   .9\..{..6-..>Q..

    0070 - 33 bc 9e 51 28 73 ea 52-fc e1 8b 4c ad 12 f5 01   3..Q(s.R...L....

    0080 - 69 9c 95 ec f6 e2 78 90-7a c4 00 83 14 31 3b 21   i.....x.z....1;!

    0090 - 96 a7 af 8d fd 28 82 9f-03 cc d7 7c f1 51 33 e8   .....(.....|.Q3.

    00a0 - 7c fb bd fc a1 dc 17 36-9e eb f5 2d 50 36 33 37   |......6...-P637

    Start Time: 1481539049

    Timeout   : 300 (sec)

    Verify return code: 21 (unable to verify the first certificate)



-> at the end you should see 3 certificates Root CA > Intermediate CA > Server Cert.

to compare how it should look like you can check any other provider like wikipedia or google:

openssl s_client -showcerts -connect


More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community