Distrust of the let's encrypt certificate?

Until that time, thought that cert.pem and privkey.the only pem files to install until I looked the website to mobile and unknown browsers, they just don't trust the certificate, so I think that the other two files that is downloaded when a certificate is received via certboot organize "the way" of the trust by which to verify the authenticity of the certificate by a browser? popravte if I am mistaken!
June 5th 19 at 21:41
3 answers
June 5th 19 at 21:43
The website (TLS-server in General) must provide the full chain of certificates confirming his own, except the root CA certificate, which in normal condition is in the trust store on the client. So Yes, you need to give in addition to cert.pem more and fullchain.pem. The reason is that the client cannot know about the whole PKI each certification authority whose root certificate it holds, as it is in the General case dynamic, and subordinate certificates are still re-issued again in 1-5 years (LE with its three-month certificates may change subCA times a year), so the client can't get the whole chain of certificates. Therefore, the most logical solution is to store it on the server, as it also needs to know who he Sert signed and the server to distribute as needed.
Please answer a small question: what if my server wants to check the browser where does he get the root certificate, they are in the public domain? Or where it is necessary regitsya? - Abraham_Rat commented on June 5th 19 at 21:46
Root certificates are often sewn into the browser or OS, but to get them too, usually gives each CA root certificate is pretty easy. The address that must be accessible to the root certificate chain which signed your certificate, you can get recursively using the AIA extension - there is a direct link to parent a certificate, it is the same on a Sert even higher level and so on up to the root. - sadie_Hop commented on June 5th 19 at 21:49
June 5th 19 at 21:45
Often it is necessary to register the intermediate CA certificate, then the mobile device will not throw warning
June 5th 19 at 21:47
cert.pem and privkey.the only pem files

They are not only not unique, but even to be called completely randomly :) in addition the key files and certificate of a key always have a file the root certificate of the Issuer, or the certificate chain of the publisher, leading to its root certificate. This root certificate is stored in a special store called trusted root certificate store. The system automatically trusts any certificate if it is able to trace the publisher to certificate nahodyascheesya in the root certificate store. The question is, from where the browser takes the information about the root certificate :)
Donkey, Opera, Chrome, BU - used system store Windows
FF has its own store
To resolve the issue of authorization certificate from LE (like any other) - you need to know where he gets information about the root certificates and, if necessary, add them there
For example, I don't like upgrading the operating system from which to take the fresh root certificates? They are updated what is a service? - Abraham_Rat commented on June 5th 19 at 21:50
, Windows updates using its standard mechanism. FF - update, browser Linux, usually with upgrade packages such as ca-certificates - sadie_Hop commented on June 5th 19 at 21:53

Find more questions by tags Digital certificates