Remind users to install ISRG Root X1 (if they need to). Inspired by https://browser-update.org.
See demo.
We can already issue certificates on ISRG Root X1 using the preferred chain option. This script tries to load https://valid.isrgrootx1.top
to see if the browser detects an error. If the request failed, the script tries to load https://isrgrootx1.netlify.app
to see if network is connected. If there is network connection but there is an error loading the first URL, there is a big chance that ISRG Root X1 is not recognized by the browser.
CDN:
<script src="https://cdn.jsdelivr.net/npm/letsisrg/dist/letsisrg.js"></script>
or, import:
import 'letsisrg' // require('letsisrg')
Options are stored in the window.$letsisrg
object. The main script executes 50ms after script load, so you can specify options after import
ing:
import 'letsisrg'
window.$letsisrg = { defaultLanguage: 'zh' }
options (all optional):
messageLink
: thehref
on the "Learn more" link, not sanitized.messageHtml
: the HTML of the reminder.serviceName
: The reminder will include thisstring
if this option is set, do not set if your site is not using a Let's Encrypt certificate.defaultLanguage
: The fallback language code, defaults toen
.render
: pass a custom reminder render function here if you need.noStyles
: when passedtrue
, the script will not insert the stylesheet to the document; you should include your own stylesheet or else the reminder would appear at the very bottom at your site with no styles.testUrl
: the URL to perform the main test, should be using a ISRG Root X1-signed certificate.testConnectivityUrl
: the URL to perform the network connectivity check.callback
: a function to be performed after the test. payload would be one of:{ skipped: true, reason: '...' }
if the test is not performed.{ error: '...' }
if an error occurred in the test.{ supported: true }
if ISRG Root X1 is supported.{ supported: false }
if ISRG Root X1 is not supported.
ignoreVersion
: skip browser version test.ignoreTested
: by default, when a test succeeded, we will not test again in a week. Passtrue
to this option to skip the check.ignoreTime
: by default, no reminder will be shown if DST Root CA X3 has already expired. Passtrue
to this option to skip the check. You may also want to enabletestOnIos
.testOnIos
: iOS could figure out the signing path to DST by itself, so checking in iOS before DST expiry is meaningless. Passtrue
to also test on iOS.testOnBots
: bots may have extremely old browsers, and showing the reminder on bot visits may cause the reminder to be shown on search engines. Passtrue
to also test on bots.forceTest
: ignore all pre-checks, forces to perform the test.
Additionally, the reminder is always shown if the URL on script load contains #test-letsisrg
.
If you use a CSP, this script will need an unsafe-inline
directive for style-src
. You can use your own styles and specify noStyles
if you do not want to include the directive.
- May have false positives when network is unstable.
- Currently there are no way to test on iOS.
- Windows and macOS support is untested.
MIT-style