[Someone1234]

This is a tiny bit odd. So they have issued their first certificate, but they don't have cross-signing in place yet? So between now and november 16th they'll be issuing a whole bunch of effectively broken certificates unless people manually install their root CA?

Why even push this today if you don't have cross-signing available? Without that Let's Encrypt is effectively broken out of the box.

PS - I actually like Let's Encrypt and the work they're doing. I will be all queued up when they go live to grab one (and, yes, will put my money where my mouth is and donate). But doing this today without cross-signing seems strange.

[joshmoz]

We need to demonstrate proper issuance under our root and gain confidence in our live systems before getting cross-signed. Issuing without a cross-signature for a bit is how we do this.

[phire]

It's a bootstrapping process, I don't think they can be accepted as a root certificate until they have proved their automated issuing system it working.

One way to prove that their automated issuing system is working, is to turn it on.

Looks like they have set it up to only issue certificates for white-listed domains in the beta program, and they will switch to General availability in the Week of November 16th.

[toomuchtodo]

Baby steps. This is a huge step forward, and I'm willing to cut them some slack considering they're about to shake up an entire industry.

EDIT: Kudos everyone working on Let's Encrypt. You're doing awesome work.

[ErikRogneby]

For real. This is so damn awesome I feel like letting out a Howard Dean like yell.

[willejs]

+1, this is a huge step in the right direction.

[skorecky]

> A cross-signature will be in place before general availability.

https://letsencrypt.org/2015/08/07/updated-lets-encrypt-laun...

[collinmanderson]

What about after general availability?

[_wmd]

You should read back over their blog to see how much planning has gone into this so far. This isn't a single-file LAMP app running on a VPS, they're setting up a CA trustworthy enough to have its roots in all the major browsers

[dragonwriter]

You keep saying the word "broken" when nothing is broken at all, just the certificates are only useful in limited contexts.

[stevewilhelm]

Even a "useful in limited contexts" clock is right twice a day.

[kcbanner]

Except this isn't a clock, it is an SSL certificate.

[mattdeboard]

oh

[yuvipanda]

They aren't making it generally available to the public yet, only to certain beta folks who know what they are getting. It isn't broken out of the box since it isn't 'out of the box' yet.

[IgorPartola]

According to TFA, Firefox already trusts this cert.

[hazz]

Firefox doesn't trust the cert yet. The application to be added to the root store is here https://bugzilla.mozilla.org/show_bug.cgi?id=1204656

[callahad]

Incorrect. Inclusion into the Firefox root store is being tracked in https://bugzil.la/1204656 and has not yet been resolved.

Firefox trusts the cert on TFA because letsencrypt.org itself is using a certificate signed by IdenTrust.

[IgorPartola]

Looking at http://helloworld.letsencrypt.org/ I see:

> Let's Encrypt hasn't yet been added as a trusted authority to the major browsers (that will be happening soon), so for now, you'll need to add the ISRG root certificate yourself. Specifics will depend on your browser. In Firefox, just click the link.

[MichaelGG]

Wow the Firefox process to add a root is pretty simple! Downloading a file is more difficult. Adding an exception for a self-signed cert is scary.

But adding a new root? Little popup, check a box and OK-you-go!

[alcari]

It's scary how easy it is to add new roots on all major platforms. You just click on the CA link and get a response with the appropriate MIME type back, then:

* Windows gives you a helpful little wizard wherein you click "next" a few times.

* Firefox gives you a dialog with 3 checkboxes; check them and click okay.

* iOS sends you to settings, and asks you if you want to trust the given CA.

* OS X hands it to Keychain Access, where you have to select 'trust' from a dropdown and maybe enter a keychain password; it's a bit less intuitive.

* Chrome uses the OS trust store, so it hands it off to the OS while claiming it's a dangerous filetype.

[kojoru]

You're incorrect about Windows. If you just click next several times the cert will not be added to trusted. To do that you'll have to override default settings in a non trivial way (deselect "Choose cert store automatically" and select the correct cert store) on one of the steps

I'm sure that's intentional design

[callahad]

Ah, that is a bit misleading. When it says "just click the link," it's referring to the process for installing the root certificate.

It should read "specifics will depend on your browser. In Firefox, just click the link [to the .der file, and you will see a prompt allowing you to trust it.]" It looks like this: http://imgur.com/dzC89xI

Without importing the root, Firefox absolutely distrusts https://helloworld.letsencrypt.org/, and will do so until Bug 1204656 is marked RESOLVED FIXED. :)

[schoen]

Actually, 1204656 doesn't need to be fixed in order to get Firefox to accept this cert. As https://letsencrypt.org/certificates/ explains,

> IdenTrust will cross-sign our intermediates. This will allow our end certificates to be accepted by all major browsers while we propagate our own root.

The cross-signature is expected to happen before the mainstream browsers finish processing our application to be a root CA. That will be the main initial mechanism by which browsers trust our certificates.

[callahad]

Touché :)

[aroch]

the iSRG root is not in FF[1][2]...you're visiting the http version of that URL.

1 http://idzr.org/y1pg

2 http://idzr.org/ee91

[eloy]

Hmm, that's taking a long time assuming Mozilla itself is involved in the project.

[callahad]

My understanding is that Mozilla is primarily just a sponsor of ISRG, the non-profit behind Let's Encrypt. Some of their sponsorship includes dedicated engineering time, but LetsEncrypt still has to pass all the same audits and requirements as any other CA, as defined in the Mozilla CA Certificate Policy at https://www.mozilla.org/en-US/about/governance/policies/secu....

Mozilla's not a nepotist with regard to its root store. :-)