We recently discovered while using an SSL Checker, that the SSL certificate on a DEV website, had the issuer ‘Fake LE Root X1’ – not Lets Encrypt as had been set up 10 months earlier! Read here for how to prepare to install Lets Encrypt SSL Certificates on an Azure hosted WordPress site.
This was confirmed on the Azure Portal > App > Settings > SSL Settings > Private Certificate > Certificate Details:
The Eset Smart Security program on a client computer also gave a warning of an untrusted certificate:
In fact, checking details of a couple of the expired SSL certificates still sitting in the portal, it showed that the same ‘Fake LE Root’ issuer was named on those certificates too!! It had been missed because at some point 9 or 10 months ago, ESet was told that this was acceptable, so no more browser warnings were given! Since the Lets Encrypt SSL certificates for our Azure web apps automatically renew every 3 months using Azure Web Jobs – we missed the mistake entirely until using the GMetrix tool testing page load speed. Their SSL Checker gave us the SSL warning at the top of this post page!
Yikes – how did this happen?! Admittedly, this IS a DEV site, but not having understood how this could have happened, the solution needed to be found for why – and how to prevent this from just ‘happening’ to a PROD site – as well as fixing it on the DEV site.
Some online reading revealed that at the time the Lets Encrypt SSL certificate was first setup, the ‘Staging’ option had been chosen for the DEV website, and those settings persisted. The staging option can be used effectively, but with caveats:
Root Certificate
The staging environment intermediate certificate (“Fake LE Intermediate X1”) is issued by a root certificate not present in browser/client trust stores. If you wish to modify a test-only client to trust the staging environment for testing purposes you can do so by adding the “Fake LE Root X1” certificate to your testing trust store. Important: Do not add the staging root or intermediate to a trust store that you use for ordinary browsing or other activities, since they are not audited or held to the same standards as our production roots, and so are not safe to use for anything other than testing.
In our case, we went through the procedure of replacing the LetsEncrypt SSL Certificate and automatic renewal settings for that DEV site!