Let's Encrypt to fix HTTPS Certificate incompatibility with Windows XP and Google Chrome

It was about a month ago - when I successfully installed secure https pages for my blog, I opted for using free certificate provided by Let's Encrypt certificate authority. I first heard Let's Encrypt certificate authority from KeyCDN.

It was super easy and fast to create SSL certificates for my Linode powered Nginx box. Unfortunately - just a few days later I noticed a deadly screen - Your connection is not private

Your connection is not private Google Chrome screen

Your connection is not private Google Chrome screen

I was using Windows XP machine with Google Chrome. I panicked, stressed - then I opened my blog on my default laptop (Windows 8) - everything was fine - green bar was visible, not any problems with connection. I went back to the Windows XP machine - deadly screen.

I googled - https windows xp - and soon I ended on Let's Encrypt community forums - there were many folks just as me complaining about the same issue - Let' s encrypt certificate does not validates on Windows XP machines.

...there is some information suggesting that the Name Constraints on our cross-signed certificate from IdenTrust are the reason IE and Chrome on Windows XP don't support Let's Encrypt certificates...

Ok, I know Windows discontinued any support for XP already back in 2014 and anytime sooner or later Windows XP will be completely dead, I decided to check out my Google Analytics statistics - how many of blog visitors are actually accessing my site from XP. The number was about 4 percent. since my site is getting about 50,000 unique visitors a month - four percent is a lot ~ 2,000 users each month cannot access my site and even worst they sees a deadly warning message that it is not safe at my place.

I started to look for a fix for this issue - there were few workarounds - to disable HTTPS at all, I didn't wanted to disable HTTPS, so I went looking for more fixes - another was not using 301 redirects (turn of http to https redirect) - which I don't like either - because users might get to my blog by direct links, and if they are https, they still will see deadly screen. Make some redirect just for Windows XP... again, too complicated.

There was another solution - not using Let's Encrypt certificate (after all it's Let's Encrypt problem, not mine) and buy some SSL certificate from trusted vendor. Thus I already started to love Let's Encrypt and idea to switching off, just because of Windows XP, didn't sound fair.

So I continued to stick around community on forums - looking are there any updates, when and if it will be fixed, for a long time there were no solutions or fixes. Today (on March 9) a miracle happened - by reading on forum I learnt that Let' s Encrypt will fix this compatibility issue before March 22, 2016

ETA: Before March 22, 2016

A bug in Windows XP causes parsing of our current cross-signature from IdenTrust to fail. We will be correcting this by getting new cross-signatures from IdenTrust which work on Windows XP.

If so - Let's encrypt you rock!