Add Let's Encrypt In Trusted CA On the Server


#1

Hi Team

One of the APIs that my application is trying to connect is using Let’s Encrypt as SSL Certificates.
When my application running on IIS 8.0 tries to connect this API, I get below error.
The request was aborted: Could not create SSL/TLS secure channel

When I asked the API owner how to fix, they told that I need to add let’s encrypt as Trusted CA on my staging server.
Does it mean that I need to create a let’s encrypt certificate for my staging server, bind it to the application and then try connecting to the API? Or I just need to download the intermediate certificate from your certificate store and import this into repository.

I am new on this so concrete information will be hugely appreciated.

Please advise.


#2

PLease check your server “certificate store” and see if trusted CAs has LE inside…

(If not, please follow this guide:
http://www.cs.virginia.edu/~gsw2c/GridToolsDir/Documentation/ImportTrustedCertificates.htm
)

Thank you


#3

You shouldn’t need to trust LE’s intermediates directly. As long as you trust the DST Root CA X3 that cross-signs them, they should be trusted automatically. However the API server may need to include them in the certificate chain that it sends.

If the API is publicly available on port 443, you can test it here to see if it does that. If it doesn’t, it’s misconfigured and the API owner needs to fix it.

If it’s not publicly available you can use openssl to test it. Something like:

openssl s_client -connect api.example.com:443 -servername api.example.com -showcerts

You should see both the API server certificate and the intermediate in the output. If not, the API server is misconfigured.


#4

This isn’t a certificate error. This suggests the API server might be TLSv1.2-only and your client library can’t handle that.

Does the server have the KB3140425 patch installed? This has been available via Windows Update for some time, but it is Reccomended and not Critical and thus might have been skipped over.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.