4 Replies Latest reply on Dec 12, 2016 4:46 AM by smasnizk

    Let's Encrypt Certificate Authority - unknown

    ronanfahy

      Hello - we're seeing some sites blocked under the Unknown Certificate Authorities rule when their certs were issued by Let's Encrypt (see: Let's Encrypt - Wikipedia, the free encyclopedia or https://letsencrypt.org/ )

       

      They seem to be very new and aren't in the managed lists yet.  Am wondering if it's just a case that "they aren't there yet", or if they're not there for a reason?

       

      thanks in advance

      Ronan

        • 1. Re: Let's Encrypt Certificate Authority - unknown
          feickholt

          We saw it also

          Let's Encrypt Sites results in

          CertificateChain,FirstKnownCAIsTrusted = FALSE and this results in a block page.

           

          In case of https://www.plueto.de/

          we have

          IssuerLet's Encrypt Authority X3
          AIA: http://cert.int-x3.letsencrypt.org/

           

          Path #1: Trusted

          https://www.ssllabs.com/ssltest/getTestTrustPath?d=www.plueto.de&s=87.163.223.37 &cid=4e61ba64947bf255bce2e9a7706cbfb846787bb59f11fd1ffd64316fed3b2cef&time=14812 91245218&id=11Sent by serverwww.plueto.de

          Fingerprint SHA1: e6ef7935b31f38df2a676045516b1934fb28df91
          Pin SHA256: DSc5/7yjIvZr19BmDJRsEzlruqWha1fav82ilI9QvJw=

          RSA 2048 bits (e 65537) / SHA256withRSA2Extra downloadLet's Encrypt Authority X3

          Fingerprint SHA1: e6a3b45b062d509b3382282d196efe97d5956ccb
          Pin SHA256: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=

          RSA 2048 bits (e 65537) / SHA256withRSA3In trust storeDST Root CA X3   Self-signed

          Fingerprint SHA1: dac9024f54d8f6df94935fb1732638ca6ad77c13
          Pin SHA256: Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=

          RSA 2048 bits (e 65537) / SHA1withRSA

          Weak or insecure signature, but no impact on root certificate

           

          How can we trust Lets-Encrypt also?

          • 2. Re: Let's Encrypt Certificate Authority - unknown
            smasnizk

            Frank,

             

            it it possible to create own trusted CA list where you can manage your own CA's.

             

            Step 1

            mytrustedca.JPG

            Create new "MyTrusted_CA" list

             

            Step 2

            mytrustedca1.JPG

             

            Add required Certificate to your own list. Those could be exported as example on website "www.ssllabs.com"

            certpath.JPG

            Each certificat is separated by "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----". You will need to create two files with separate certificate. Sample attached.

             

            Step 3

            Edit your "Certificate Chain" settings. In my case it is "default"

            cert_chain.JPG

            choose your recently created "MyTrusted_CA" list and save configuration.

             

            By testing this website you will now notice you're redirected to google without any Certificate error.

             

            -Sergej

            • 3. Re: Let's Encrypt Certificate Authority - unknown
              feickholt

              I already created such entry and all works, but why do I have to create such entry....

              We trust the root CA and Lets Encrypt is trusted by DST Root CA X3. So I expect we can also trust lets encrypt automatically.

              Otherwise we had to import all CAIs? This won't scale...

               

               

               

              • 4. Re: Let's Encrypt Certificate Authority - unknown
                smasnizk

                when you check this  using openssl commands you will find incomplete certificate chain:

                 

                 

                openssl s_client -showcerts -connect  www.plueto.de:443

                CONNECTED(00000003)

                depth=0 CN = www.plueto.de

                verify error:num=20:unable to get local issuer certificate

                verify return:1

                depth=0 CN = www.plueto.de

                verify error:num=21:unable to verify the first certificate

                verify return:1

                ---

                Certificate chain

                0 s:/CN=www.plueto.de

                   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

                -----BEGIN CERTIFICATE-----

                MIIE/jCCA+agAwIBAgISA3CHPStjQib1TBYZbcD6jBITMA0GCSqGSIb3DQEBCwUA

                MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD

                ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjExMTEwNzMyMDBaFw0x

                NzAyMDkwNzMyMDBaMBgxFjAUBgNVBAMTDXd3dy5wbHVldG8uZGUwggEiMA0GCSqG

                SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+6NWQEbPEW79PNKiASEj8/b8OnfUvXsNQ

                FC6txfiiUJMbz4mKhcWsiS2zprEef6Su+qTea5WIzXxoKQ6OvEsa+IS/RH/rQH2V

                AZqCWU+kLCJ452HXjnfol4gC8a4u/FPZp/d5ius2fDZ90QaOHkbFFxXz+agBbJtw

                GEVFoVVFxLEaONrgKaIGK1o7k5qUbZl27hbPSUfW7xIH2ZMURkrNoSUxchGxockW

                9lhdyJh8XI6xY63Sy4l9DnFZEdpmlswXBjgHVy+WFq/IcZrehK/iJ7GqNlnw2Gzk

                y5GU33KO+4MM5ofqRe9wbFt2FW/eWM8DUPLODQwsmLief/FfT9OLAgMBAAGjggIO

                MIICCjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF

                BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFFUd2K+UNz1ZF+K/bw+bxnQZuFax

                MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMHAGCCsGAQUFBwEBBGQw

                YjAvBggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9y

                Zy8wLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5v

                cmcvMBgGA1UdEQQRMA+CDXd3dy5wbHVldG8uZGUwgf4GA1UdIASB9jCB8zAIBgZn

                gQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz

                LmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmlj

                YXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBh

                bmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGlj

                eSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzAN

                BgkqhkiG9w0BAQsFAAOCAQEAPUMef7ys3xMRYnyY3dzCnFleXCjqVT99Sv8u1b4z

                mdOgNP6ohd67pzSGEgVZzZ6NygCqBtENizrMFkQ6ANfEUGA/xwt/EGAIe0EagUhN

                Uj3ZN7+JaKgJ6coTIvdSom0zVdqG1ZZ7B9TLbtbBm/1pI9j43oo+8/EeGe5VkyN0

                cZgY4/rmVYCK0UyaC/dTZhLR/BhXB1pS+gZy3NtlJwy5P7upmiA8xhzSKk35HiSA

                draybDlo2atyZi99miSg4aIX/8Syn8dg5qynEwOTYF2GC9XYPJpird7w76hOfidr

                Y27V5HAD5F+yCrOKNowInIJcPUsb+3GoCt37YW2KRmYVuQ==

                -----END CERTIFICATE-----

                ---

                Server certificate

                subject=/CN=www.plueto.de

                issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

                ---

                No client certificate CA names sent

                Peer signing digest: SHA512

                Server Temp Key: ECDH, P-256, 256 bits

                ---

                SSL handshake has read 1957 bytes and written 415 bytes

                ---

                New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

                Server public key is 2048 bit

                Secure Renegotiation IS supported

                Compression: NONE

                Expansion: NONE

                No ALPN negotiated

                SSL-Session:

                    Protocol  : TLSv1.2

                    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

                    Session-ID: 7643E5CBBF0F96127934E3D7B7037C33889A1011A0E3219102689390B0F0C0B8

                    Session-ID-ctx:

                    Master-Key: 0708CB4DE54B312133BBB1503B0CBA78B101035675313FE0B9A89BE49FD18767B65406A1E6FFC8B D1947A0D63DF040E5

                    Key-Arg   : None

                    Krb5 Principal: None

                    PSK identity: None

                    PSK identity hint: None

                    TLS session ticket lifetime hint: 1800 (seconds)

                    TLS session ticket:

                    0000 - b6 34 6b a8 47 76 f4 93-87 c0 dd 60 92 d6 2e 63   .4k.Gv.....`...c

                    0010 - 20 cb 84 9c 02 46 87 f8-0e b1 84 88 6b b9 64 56    ....F......k.dV

                    0020 - aa a9 fb 84 92 83 b3 38-0a 6f de 74 d5 21 61 66   .......8.o.t.!af

                    0030 - 87 6e e3 8f d9 5c da 33-7c 89 17 3a 0c 00 5e 3f   .n...\.3|..:..^?

                    0040 - 88 ee ed d3 95 dd 7b 09-d5 14 d3 7f 69 89 e3 0e   ......{.....i...

                    0050 - 99 ac 88 b9 42 90 7a bb-a9 b8 dc cd 37 2f 48 7b   ....B.z.....7/H{

                    0060 - 0f 39 5c 86 b1 7b 95 c6-36 2d f3 15 3e 51 d3 ba   .9\..{..6-..>Q..

                    0070 - 33 bc 9e 51 28 73 ea 52-fc e1 8b 4c ad 12 f5 01   3..Q(s.R...L....

                    0080 - 69 9c 95 ec f6 e2 78 90-7a c4 00 83 14 31 3b 21   i.....x.z....1;!

                    0090 - 96 a7 af 8d fd 28 82 9f-03 cc d7 7c f1 51 33 e8   .....(.....|.Q3.

                    00a0 - 7c fb bd fc a1 dc 17 36-9e eb f5 2d 50 36 33 37   |......6...-P637

                 

                 

                    Start Time: 1481539049

                    Timeout   : 300 (sec)

                    Verify return code: 21 (unable to verify the first certificate)

                ---

                closed

                -> at the end you should see 3 certificates Root CA > Intermediate CA > Server Cert.

                 

                to compare how it should look like you can check any other provider like wikipedia or google:

                 

                openssl s_client -showcerts -connect  www.wikipedia.de:443

                 

                -Sergej