One of the APIs that my application is trying to connect is using Let’s Encrypt as SSL Certificates.
When my application running on IIS 8.0 tries to connect this API, I get below error.
The request was aborted: Could not create SSL/TLS secure channel
When I asked the API owner how to fix, they told that I need to add let’s encrypt as Trusted CA on my staging server.
Does it mean that I need to create a let’s encrypt certificate for my staging server, bind it to the application and then try connecting to the API? Or I just need to download the intermediate certificate from your certificate store and import this into repository.
I am new on this so concrete information will be hugely appreciated.
You shouldn’t need to trust LE’s intermediates directly. As long as you trust the DST Root CA X3 that cross-signs them, they should be trusted automatically. However the API server may need to include them in the certificate chain that it sends.
If the API is publicly available on port 443, you can test it here to see if it does that. If it doesn’t, it’s misconfigured and the API owner needs to fix it.
If it’s not publicly available you can use openssl to test it. Something like:
This isn't a certificate error. This suggests the API server might be TLSv1.2-only and your client library can't handle that.
Does the server have the KB3140425 patch installed? This has been available via Windows Update for some time, but it is Reccomended and not Critical and thus might have been skipped over.