[callahad]

Incorrect. Inclusion into the Firefox root store is being tracked in https://bugzil.la/1204656 and has not yet been resolved.

Firefox trusts the cert on TFA because letsencrypt.org itself is using a certificate signed by IdenTrust.

[IgorPartola]

Looking at http://helloworld.letsencrypt.org/ I see:

> Let's Encrypt hasn't yet been added as a trusted authority to the major browsers (that will be happening soon), so for now, you'll need to add the ISRG root certificate yourself. Specifics will depend on your browser. In Firefox, just click the link.

[MichaelGG]

Wow the Firefox process to add a root is pretty simple! Downloading a file is more difficult. Adding an exception for a self-signed cert is scary.

But adding a new root? Little popup, check a box and OK-you-go!

[alcari]

It's scary how easy it is to add new roots on all major platforms. You just click on the CA link and get a response with the appropriate MIME type back, then:

* Windows gives you a helpful little wizard wherein you click "next" a few times.

* Firefox gives you a dialog with 3 checkboxes; check them and click okay.

* iOS sends you to settings, and asks you if you want to trust the given CA.

* OS X hands it to Keychain Access, where you have to select 'trust' from a dropdown and maybe enter a keychain password; it's a bit less intuitive.

* Chrome uses the OS trust store, so it hands it off to the OS while claiming it's a dangerous filetype.

[kojoru]

You're incorrect about Windows. If you just click next several times the cert will not be added to trusted. To do that you'll have to override default settings in a non trivial way (deselect "Choose cert store automatically" and select the correct cert store) on one of the steps

I'm sure that's intentional design

[alcari]

Maybe it changed at some point (8?), or my memory's fuzzy. I haven't looked at it in several years.

Either way, trusting a root CA generally looks far less threatening than the self-signed certificate warnings.

[callahad]

Ah, that is a bit misleading. When it says "just click the link," it's referring to the process for installing the root certificate.

It should read "specifics will depend on your browser. In Firefox, just click the link [to the .der file, and you will see a prompt allowing you to trust it.]" It looks like this: http://imgur.com/dzC89xI

Without importing the root, Firefox absolutely distrusts https://helloworld.letsencrypt.org/, and will do so until Bug 1204656 is marked RESOLVED FIXED. :)

[schoen]

Actually, 1204656 doesn't need to be fixed in order to get Firefox to accept this cert. As https://letsencrypt.org/certificates/ explains,

> IdenTrust will cross-sign our intermediates. This will allow our end certificates to be accepted by all major browsers while we propagate our own root.

The cross-signature is expected to happen before the mainstream browsers finish processing our application to be a root CA. That will be the main initial mechanism by which browsers trust our certificates.

[callahad]

Touché :)

[aroch]

the iSRG root is not in FF[1][2]...you're visiting the http version of that URL.

1 http://idzr.org/y1pg

2 http://idzr.org/ee91

[eloy]

Hmm, that's taking a long time assuming Mozilla itself is involved in the project.

[callahad]

My understanding is that Mozilla is primarily just a sponsor of ISRG, the non-profit behind Let's Encrypt. Some of their sponsorship includes dedicated engineering time, but LetsEncrypt still has to pass all the same audits and requirements as any other CA, as defined in the Mozilla CA Certificate Policy at https://www.mozilla.org/en-US/about/governance/policies/secu....

Mozilla's not a nepotist with regard to its root store. :-)