cancel
Showing results for 
Search instead for 
Did you mean: 

Let's Encrypt Certificate Authority - unknown

Hello - we're seeing some sites blocked under the Unknown Certificate Authorities rule when their certs were issued by Let's Encrypt (see: Let's Encrypt - Wikipedia, the free encyclopedia​ or https://letsencrypt.org/ )

They seem to be very new and aren't in the managed lists yet.  Am wondering if it's just a case that "they aren't there yet", or if they're not there for a reason?

thanks in advance

Ronan

4 Replies

Re: Let's Encrypt Certificate Authority - unknown

We saw it also

Let's Encrypt Sites results in

CertificateChain,FirstKnownCAIsTrusted = FALSE and this results in a block page.

In case of https://www.plueto.de/

we have

IssuerLet's Encrypt Authority X3
AIA: http://cert.int-x3.letsencrypt.org/

Path #1: Trusted

https://www.ssllabs.com/ssltest/getTestTrustPath?d=www.plueto.de&s=87.163.223.37&cid=4e61ba64947bf25...1Sent by serverwww.plueto.de

Fingerprint SHA1: e6ef7935b31f38df2a676045516b1934fb28df91
Pin SHA256: DSc5/7yjIvZr19BmDJRsEzlruqWha1fav82ilI9QvJw=

RSA 2048 bits (e 65537) / SHA256withRSA2Extra downloadLet's Encrypt Authority X3

Fingerprint SHA1: e6a3b45b062d509b3382282d196efe97d5956ccb
Pin SHA256: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=

RSA 2048 bits (e 65537) / SHA256withRSA3In trust storeDST Root CA X3   Self-signed

Fingerprint SHA1: dac9024f54d8f6df94935fb1732638ca6ad77c13
Pin SHA256: Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=

RSA 2048 bits (e 65537) / SHA1withRSA

Weak or insecure signature, but no impact on root certificate

How can we trust Lets-Encrypt also?

McAfee Employee smasnizk
McAfee Employee
Report Inappropriate Content
Message 3 of 5

Re: Let's Encrypt Certificate Authority - unknown

Frank,

it it possible to create own trusted CA list where you can manage your own CA's.

Step 1

mytrustedca.JPG

Create new "MyTrusted_CA" list

Step 2

mytrustedca1.JPG

Add required Certificate to your own list. Those could be exported as example on website "www.ssllabs.com"

certpath.JPG

Each certificat is separated by "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----". You will need to create two files with separate certificate. Sample attached.

Step 3

Edit your "Certificate Chain" settings. In my case it is "default"

cert_chain.JPG

choose your recently created "MyTrusted_CA" list and save configuration.

By testing this website you will now notice you're redirected to google without any Certificate error.

-Sergej

Re: Let's Encrypt Certificate Authority - unknown

I already created such entry and all works, but why do I have to create such entry....

We trust the root CA and Lets Encrypt is trusted by DST Root CA X3. So I expect we can also trust lets encrypt automatically.

Otherwise we had to import all CAIs? This won't scale...

McAfee Employee smasnizk
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: Let's Encrypt Certificate Authority - unknown

when you check this  using openssl commands you will find incomplete certificate chain:

openssl s_client -showcerts -connect  www.plueto.de:443

CONNECTED(00000003)

depth=0 CN = www.plueto.de

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 CN = www.plueto.de

verify error:num=21:unable to verify the first certificate

verify return:1

---

Certificate chain

0 s:/CN=www.plueto.de

   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

-----BEGIN CERTIFICATE-----

MIIE/jCCA+agAwIBAgISA3CHPStjQib1TBYZbcD6jBITMA0GCSqGSIb3DQEBCwUA

MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD

ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjExMTEwNzMyMDBaFw0x

NzAyMDkwNzMyMDBaMBgxFjAUBgNVBAMTDXd3dy5wbHVldG8uZGUwggEiMA0GCSqG

SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+6NWQEbPEW79PNKiASEj8/b8OnfUvXsNQ

FC6txfiiUJMbz4mKhcWsiS2zprEef6Su+qTea5WIzXxoKQ6OvEsa+IS/RH/rQH2V

AZqCWU+kLCJ452HXjnfol4gC8a4u/FPZp/d5ius2fDZ90QaOHkbFFxXz+agBbJtw

GEVFoVVFxLEaONrgKaIGK1o7k5qUbZl27hbPSUfW7xIH2ZMURkrNoSUxchGxockW

9lhdyJh8XI6xY63Sy4l9DnFZEdpmlswXBjgHVy+WFq/IcZrehK/iJ7GqNlnw2Gzk

y5GU33KO+4MM5ofqRe9wbFt2FW/eWM8DUPLODQwsmLief/FfT9OLAgMBAAGjggIO

MIICCjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF

BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFFUd2K+UNz1ZF+K/bw+bxnQZuFax

MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMHAGCCsGAQUFBwEBBGQw

YjAvBggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9y

Zy8wLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5v

cmcvMBgGA1UdEQQRMA+CDXd3dy5wbHVldG8uZGUwgf4GA1UdIASB9jCB8zAIBgZn

gQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz

LmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmlj

YXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBh

bmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGlj

eSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzAN

BgkqhkiG9w0BAQsFAAOCAQEAPUMef7ys3xMRYnyY3dzCnFleXCjqVT99Sv8u1b4z

mdOgNP6ohd67pzSGEgVZzZ6NygCqBtENizrMFkQ6ANfEUGA/xwt/EGAIe0EagUhN

Uj3ZN7+JaKgJ6coTIvdSom0zVdqG1ZZ7B9TLbtbBm/1pI9j43oo+8/EeGe5VkyN0

cZgY4/rmVYCK0UyaC/dTZhLR/BhXB1pS+gZy3NtlJwy5P7upmiA8xhzSKk35HiSA

draybDlo2atyZi99miSg4aIX/8Syn8dg5qynEwOTYF2GC9XYPJpird7w76hOfidr

Y27V5HAD5F+yCrOKNowInIJcPUsb+3GoCt37YW2KRmYVuQ==

-----END CERTIFICATE-----

---

Server certificate

subject=/CN=www.plueto.de

issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

---

No client certificate CA names sent

Peer signing digest: SHA512

Server Temp Key: ECDH, P-256, 256 bits

---

SSL handshake has read 1957 bytes and written 415 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

    Session-ID: 7643E5CBBF0F96127934E3D7B7037C33889A1011A0E3219102689390B0F0C0B8

    Session-ID-ctx:

    Master-Key: 0708CB4DE54B312133BBB1503B0CBA78B101035675313FE0B9A89BE49FD18767B65406A1E6FFC8BD1947A0D63DF040E5

    Key-Arg   : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    TLS session ticket lifetime hint: 1800 (seconds)

    TLS session ticket:

    0000 - b6 34 6b a8 47 76 f4 93-87 c0 dd 60 92 d6 2e 63   .4k.Gv.....`...c

    0010 - 20 cb 84 9c 02 46 87 f8-0e b1 84 88 6b b9 64 56    ....F......k.dV

    0020 - aa a9 fb 84 92 83 b3 38-0a 6f de 74 d5 21 61 66   .......8.o.t.!af

    0030 - 87 6e e3 8f d9 5c da 33-7c 89 17 3a 0c 00 5e 3f   .n...\.3|..:..^?

    0040 - 88 ee ed d3 95 dd 7b 09-d5 14 d3 7f 69 89 e3 0e   ......{.....i...

    0050 - 99 ac 88 b9 42 90 7a bb-a9 b8 dc cd 37 2f 48 7b   ....B.z.....7/H{

    0060 - 0f 39 5c 86 b1 7b 95 c6-36 2d f3 15 3e 51 d3 ba   .9\..{..6-..>Q..

    0070 - 33 bc 9e 51 28 73 ea 52-fc e1 8b 4c ad 12 f5 01   3..Q(s.R...L....

    0080 - 69 9c 95 ec f6 e2 78 90-7a c4 00 83 14 31 3b 21   i.....x.z....1;!

    0090 - 96 a7 af 8d fd 28 82 9f-03 cc d7 7c f1 51 33 e8   .....(.....|.Q3.

    00a0 - 7c fb bd fc a1 dc 17 36-9e eb f5 2d 50 36 33 37   |......6...-P637

    Start Time: 1481539049

    Timeout   : 300 (sec)

    Verify return code: 21 (unable to verify the first certificate)

---

closed

-> at the end you should see 3 certificates Root CA > Intermediate CA > Server Cert.

to compare how it should look like you can check any other provider like wikipedia or google:

openssl s_client -showcerts -connect  www.wikipedia.de:443

-Sergej

ePO Support Center Plug-in
Check out the new ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.