Hacker News new | ask | show | jobs
by davidgerard 3641 days ago
We switched to Let's Encrypt literally because of this, so that's a direct penalty for their stupidity on this one ;-)

Do you know a writeup anywhere of the cert chain issue? (I ask for idle amusement, no way we're going back to them.)

Oh, and when I say "fully up to commercial use", we plan to use LE certs for our dev instances too (so we're SSL at all stages of development).
1 comments
technion 3640 days ago
No write up anywhere that I ever found. The best investigative tool is the SSLLabs SSL test, which will show you both possible paths from the cert. By looking at which certificates that test shows the server provided, you can divine which path things are going to take.

If you find yourself landing at a root CA which is newer and not trusted by as many devices, those devices won't intelligently realise it's cross-signed, unless you switch the certs the server offers to send them up that path.

link