ACME V2 Certificate ERR_SSL_PROTOCOL_ERROR


#1

Hey guys,
I try to implement a LetsEncrypt V2 client using C#.
I follow all the steps and stages and i get an SSL certificate for 1 (one) domain, eg. test.ddns.net. The validation completes successfully using http-01 type.
I install this certificate on IIS (pfx file), using the C# BouncyCastle library.
When i try to load the website on chrome i get the error message: ERR_SSL_PROTOCOL_ERROR
When using Firefox i get: SEC_ERROR_BAD_SIGNATURE

The V2 certificates are not working?
If i use my client on V1 protocol everything works and the certificate created is valid.
What do i miss?


#2

Hi,

What’s the site? (Domain name?)

Thank you


#3

Hi @fotis

Seconding @stevenzhu’s request for the actual domain name(s) involved. There’s no difference between end entity certificates issued by the ACME v1 protocol or the ACME v2 protocol. Are you sure that you are handling the intermediate certificate chain correctly? In ACME v2 this is delivered along with the end entity certificate in the GET to an order’s certificate URL.


#4

Additional:

Is your certificate installed correct? Do you use

RSACryptoServiceProvider.UseMachineKeyStore = True

Is your IIS-configuration (bindings) correct?


#5

the problem is that i have issued Certificate V1 and V2 for the same domain.


#6

i installed V1 certificate works ok.
i remove V1 and install V2, i see the dates of the V1 certificate. and the above error message ERR_SSL_PROTOCOL_ERROR
why?


#7

There are some tricky problems saving a certificate to “Webhosting” and using this certificate.

Looks like you see a very global, unspecific error, not the specific you need.

So check it manual. And we need your domain name.


#8

domain: https://haivisio.eu/,

this V2 certificate has alternative name: haivisio.eu and www.haivisio.eu


#9

First check your Certificate Store “Webhosting”, if the certificate is there. If yes, check your bindings, if the certificate is used.

There are two certificates:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:haivisio.eu&lu=cert_search

Both created 04.08.2018.


#10

its store is “webhosting” indeed.
when i receive the certificate chain from the protocol, i break them on -----END CERTIFICATE-----, so i have 2 certs.
the Entity and the issuer certicate in PEM format.
so, i am doing something wrong here. thats why it has 2 certificates?


#11

If both certificates are correct saved in “Webhosting”, then it should work to use them in the binding.

Perhaps remove the binding manual and add it manual. To see if there are errors.

Doing such things manual -> there are more checks.


#12

:wink:

Now your website https://haivisio.eu/ works.

So the code is buggy, perhaps creating a new binding doesn’t really work.


#13

i put again the V1 certificate for let the website working,
i will do test and with DDNS on my pc.
My problem is that i dont know how to use the chain that i receive from the protocol V2.
It is little bit confusing.
so, unfortunately still i have problem on creating the SSL Certificate, bug on the way that i create the certificate on last step from the chain that i get.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.