Showing results for 
Search instead for 
Did you mean: 

Let's Encrypt Certificate Authority - unknown

Hello - we're seeing some sites blocked under the Unknown Certificate Authorities rule when their certs were issued by Let's Encrypt (see: Let's Encrypt - Wikipedia, the free encyclopedia​ or )

They seem to be very new and aren't in the managed lists yet.  Am wondering if it's just a case that "they aren't there yet", or if they're not there for a reason?

thanks in advance


4 Replies

Re: Let's Encrypt Certificate Authority - unknown

We saw it also

Let's Encrypt Sites results in

CertificateChain,FirstKnownCAIsTrusted = FALSE and this results in a block page.

In case of

we have

IssuerLet's Encrypt Authority X3

Path #1: Trusted by

Fingerprint SHA1: e6ef7935b31f38df2a676045516b1934fb28df91
Pin SHA256: DSc5/7yjIvZr19BmDJRsEzlruqWha1fav82ilI9QvJw=

RSA 2048 bits (e 65537) / SHA256withRSA2Extra downloadLet's Encrypt Authority X3

Fingerprint SHA1: e6a3b45b062d509b3382282d196efe97d5956ccb
Pin SHA256: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=

RSA 2048 bits (e 65537) / SHA256withRSA3In trust storeDST Root CA X3   Self-signed

Fingerprint SHA1: dac9024f54d8f6df94935fb1732638ca6ad77c13
Pin SHA256: Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=

RSA 2048 bits (e 65537) / SHA1withRSA

Weak or insecure signature, but no impact on root certificate

How can we trust Lets-Encrypt also?

smasnizk McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 5

Re: Let's Encrypt Certificate Authority - unknown


it it possible to create own trusted CA list where you can manage your own CA's.

Step 1


Create new "MyTrusted_CA" list

Step 2


Add required Certificate to your own list. Those could be exported as example on website ""


Each certificat is separated by "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----". You will need to create two files with separate certificate. Sample attached.

Step 3

Edit your "Certificate Chain" settings. In my case it is "default"


choose your recently created "MyTrusted_CA" list and save configuration.

By testing this website you will now notice you're redirected to google without any Certificate error.


Re: Let's Encrypt Certificate Authority - unknown

I already created such entry and all works, but why do I have to create such entry....

We trust the root CA and Lets Encrypt is trusted by DST Root CA X3. So I expect we can also trust lets encrypt automatically.

Otherwise we had to import all CAIs? This won't scale...

smasnizk McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: Let's Encrypt Certificate Authority - unknown

when you check this  using openssl commands you will find incomplete certificate chain:

openssl s_client -showcerts -connect


depth=0 CN =

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 CN =

verify error:num=21:unable to verify the first certificate

verify return:1


Certificate chain

0 s:/

   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3































Server certificate


issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3


No client certificate CA names sent

Peer signing digest: SHA512

Server Temp Key: ECDH, P-256, 256 bits


SSL handshake has read 1957 bytes and written 415 bytes


New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated


    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

    Session-ID: 7643E5CBBF0F96127934E3D7B7037C33889A1011A0E3219102689390B0F0C0B8


    Master-Key: 0708CB4DE54B312133BBB1503B0CBA78B101035675313FE0B9A89BE49FD18767B65406A1E6FFC8BD1947A0D63DF040E5

    Key-Arg   : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    TLS session ticket lifetime hint: 1800 (seconds)

    TLS session ticket:

    0000 - b6 34 6b a8 47 76 f4 93-87 c0 dd 60 92 d6 2e 63   .4k.Gv.....`...c

    0010 - 20 cb 84 9c 02 46 87 f8-0e b1 84 88 6b b9 64 56    ....F......k.dV

    0020 - aa a9 fb 84 92 83 b3 38-0a 6f de 74 d5 21 61 66   .......8.o.t.!af

    0030 - 87 6e e3 8f d9 5c da 33-7c 89 17 3a 0c 00 5e 3f   .n...\.3|..:..^?

    0040 - 88 ee ed d3 95 dd 7b 09-d5 14 d3 7f 69 89 e3 0e   ......{.....i...

    0050 - 99 ac 88 b9 42 90 7a bb-a9 b8 dc cd 37 2f 48 7b   ....B.z.....7/H{

    0060 - 0f 39 5c 86 b1 7b 95 c6-36 2d f3 15 3e 51 d3 ba   .9\..{..6-..>Q..

    0070 - 33 bc 9e 51 28 73 ea 52-fc e1 8b 4c ad 12 f5 01   3..Q(s.R...L....

    0080 - 69 9c 95 ec f6 e2 78 90-7a c4 00 83 14 31 3b 21   i.....x.z....1;!

    0090 - 96 a7 af 8d fd 28 82 9f-03 cc d7 7c f1 51 33 e8   .....(.....|.Q3.

    00a0 - 7c fb bd fc a1 dc 17 36-9e eb f5 2d 50 36 33 37   |......6...-P637

    Start Time: 1481539049

    Timeout   : 300 (sec)

    Verify return code: 21 (unable to verify the first certificate)



-> at the end you should see 3 certificates Root CA > Intermediate CA > Server Cert.

to compare how it should look like you can check any other provider like wikipedia or google:

openssl s_client -showcerts -connect


You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community