Let’s Encrypt and iTunes podcasts
dominicrodger.comInteresting. IdenTrust, who cross-signs Let's Encrypt, has been in the root CA lists for a long time. (Mozilla merged this particular root certificate, DST Root X3, in 2008, as a replacement for existing expiring IdenTrust roots.)
The problem seems to be Java/Oracle's root store, where IdenTrust is not included. Let's Encrypt has stated that they have applied to Oracle's root program with their own root certificate, so hopefully this will eventually be solved in a future Java version.
Maybe a little HN attention will prompt them to take a look at this issue.
Hopefully. I'm willing to give Apple the benefit of the doubt here that this was unintended oversight. Practically speaking, iTunes should use exactly the same SSL infrastructure as Safari.
The problem is in iTunes's server side component, not the app running in OS X on user computers. But yeah, it should have kept up.