Firefox trusts the cert on TFA because letsencrypt.org itself is using a certificate signed by IdenTrust.
> Let's Encrypt hasn't yet been added as a trusted authority to the major browsers (that will be happening soon), so for now, you'll need to add the ISRG root certificate yourself. Specifics will depend on your browser. In Firefox, just click the link.
But adding a new root? Little popup, check a box and OK-you-go!
* Windows gives you a helpful little wizard wherein you click "next" a few times.
* Firefox gives you a dialog with 3 checkboxes; check them and click okay.
* iOS sends you to settings, and asks you if you want to trust the given CA.
* OS X hands it to Keychain Access, where you have to select 'trust' from a dropdown and maybe enter a keychain password; it's a bit less intuitive.
* Chrome uses the OS trust store, so it hands it off to the OS while claiming it's a dangerous filetype.
It should read "specifics will depend on your browser. In Firefox, just click the link [to the .der file, and you will see a prompt allowing you to trust it.]" It looks like this: http://imgur.com/dzC89xI
Without importing the root, Firefox absolutely distrusts https://helloworld.letsencrypt.org/, and will do so until Bug 1204656 is marked RESOLVED FIXED. :)
> IdenTrust will cross-sign our intermediates. This will allow our end certificates to be accepted by all major browsers while we propagate our own root.
The cross-signature is expected to happen before the mainstream browsers finish processing our application to be a root CA. That will be the main initial mechanism by which browsers trust our certificates.
Mozilla's not a nepotist with regard to its root store. :-)
