Let’s Encrypt intermediate certificate change

I checked one of the sites I use Let’s Encrypt free SSL certificates on SSL Labs’ SSL Test recently and found to my dismay that they only got a “B” grade while I was pretty sure I got an “A” grade before. Looking at the details it showed the intermediate certificate chain to be incomplete and the dreaded “extra download” warning.

When I set up Let’s Encrypt I used the simple acme-tiny tool and naturally also configured Apache to to use the generated certificate properly, including sending the intermediate certificate. Some searching suggested that it might be because the relevant directive was deprecated in Apache 2.4.8. But the affected sites (incl. this blog) run on a VPS with Ubuntu 14.04 which includes Apache 2.4.7, so that change was not relevant to me (it will be when you upgrade Apache to a later version, like when upgrading to Ubuntu 16.04!).

So after some experimenting I finally figured it out: when the Let’s Encrypt beta went live all the certificates were signed by the “Let’s Encrypt Authority X1”. However sometime in March they changed this and now all certificates are signed by “Let’s Encrypt Authority X3”. My server was sending the wrong intermediate certificate (X1 instead of X3). It’s one of those problems that once you find out what is wrong, is very easy to fix, just understanding what was wrong took some effort.

Links for Let’s Encrypt intermediate certificates can be found here. Acme-Tiny has updated their readme as well.