Missing ISRG (Let's Encrypt Root) on some Windows 11 Installation

[Chilledheart]

It is an OS-related issue, not naiveproxy's.

For most of forwardproxy users, it is likely to use Let's Encrypt Root for free SSL ceritificates. However, in the some latest Windows 11 installation, the CA (named ISRG) is missing. For my case, I created a new Windows 11 VM from Parallels Desktop inside a m3 macbook and found the ISRG CA missing in ROOT certificate store.

I did something like in PowerShell:

PS C:\> gci Cert:\LocalMachine\Root


   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root

Thumbprint                                Subject
----------                                -------
CDD4EEAE6000AC7F40C3802C171E30148030C072  CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com
BE36A4562FB2EE05DBB3D32323ADF445084ED656  CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanvill...
A43489159A520F0D93D032CCAF37E7FE20A8B419  CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c) 19...
92B46C76E13054E104F230517E6E504D43AB10B5  CN=Symantec Enterprise Mobile Root for Microsoft, O=Symantec Corporation, ...
8F43288AD272F3103B6FB1428485EA3014C0BCFE  CN=Microsoft Root Certificate Authority 2011, O=Microsoft Corporation, L=R...
7F88CD7223F3C813818C994614A89C99FA3B5247  CN=Microsoft Authenticode(tm) Root Authority, O=MSFT, C=US
3B1EFD3A66EA28B16697394703A72CA340A05BD5  CN=Microsoft Root Certificate Authority 2010, O=Microsoft Corporation, L=R...
31F9FC8BA3805986B721EA7295C65B3A44534274  CN=Microsoft ECC TS Root Certificate Authority 2018, O=Microsoft Corporati...
245C97DF7514E7CF2DF8BE72AE957B9E04741E85  OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Time Stamping Service ...
18F7C1FCC3090203FD5BAA2F861A754976C8DD25  OU="NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.", OU=VeriSign Time Stampin...
06F1AA330B927B753A40E68CDF22E34BCBEF3352  CN=Microsoft ECC Product Root Certificate Authority 2018, O=Microsoft Corp...
0119E81BE9A14CD8E22F40AC118C687ECBA3F4D8  CN=Microsoft Time Stamp Root Certificate Authority 2014, O=Microsoft Corpo...
DF3C24F9BFD666761B268073FE06D1CC8D4F82A4  CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
DDFB16CD4931C973A2037D3FC83A4D7D775D05E4  CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
D4DE20D05E66FC53FE1A50882C78DB2852CAE474  CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
D1EB23A46D17D68FD92564C2F1F1601764D8E349  CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, S=Greater Man...
B1BC968BD4F49D622AA89A81F2150152A41D829C  CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436  CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
7E04DE896A3E666D00E687D33FFAD93BE83D349E  CN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US
742C3192E607E424EB4549542BE1BBC53E6174E2  OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25  CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc...
5EEED86FA37C675230642F55C84DDBF67CD33C80  CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US
4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5  CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2...
3679CA35668772304D30A5FB873B0FA77BB70D54  CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign,...
0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43  CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

You can find the ISRG CA is missing. For naiveproxy, it will prevent TLS connection from establishing with the forwardproxy server. And I also tried Windows 11 23H2 iso in a physical machine, it also produced the same SSL error.

By installing the cumulative update, the problem was resolved. Not sure how it might affects naiveproxy users. But that's an issue (maybe not so large).

[Chilledheart]

And the OS information

PS C:\> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.22621.2506
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.22621.2506
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1


PS C:\> gwmi win32_operatingsystem | fl Caption, Version, BuildNumber


Caption     : Microsoft Windows 11 Pro
Version     : 10.0.22631
BuildNumber : 22631

[Chilledheart]

See more at Let's Encrypt Chain of Trust page.

[5l2]

Strange. According to Microsoft's Trusted Root Program, ISRG Root X1, ISRG Root X2 and many other root certificates are on the list.

Perhaps the list you get from powershell stores which trusted root certificates have been used/found. If that's the case, then if you use HTTPS to access a web page with a certificate provided by letsencrypt, the ISRG root certificate will appear on the list.

[5l2]

By installing the cumulative update, the problem was resolved. Not sure how it might affects naiveproxy users. But that's an issue (maybe not so large).

Oh, I did not see that.

[Chilledheart]

By installing the cumulative update, the problem was resolved. Not sure how it might affects naiveproxy users. But that's an issue (maybe not so large).

Oh, I did not see that.

Yes. It only happens on some installations of windows 11, but not all. And in some installation, cumulative update will fix this issue. I recommended use gci Cert:\LocalMachine\Root (powershell) to validate if you have the same issue.

[Chilledheart]

And it (missing ISRG X1 Root) also happens to some old Android release prior to 7.1.1 according to this post https://www.webmasterworld.com/webmaster/5015781.htm