Dear Support Team,
I am currently encountering an issue with setting up and configuring an SSL certificate on my Windows Server using IIS, while also utilizing a Draytek 3900 router for NAT and port forwarding. Below are the details of the problem:
Background Information
- Domain and Certificate Setup:
• The domain in question is izer.info, and it is correctly pointed to a static public IP address using an A record.
• I used Let’s Encrypt via WACS.exe to generate the SSL certificate, which appears to be successfully created and installed on the server. The certificate is stored in C:\inetpub\wwwroot\izer.info.pfx and shows valid dates in IIS (22.12.2024 - 22.03.2025).
- Router Configuration:
• I am using a Draytek 3900 router, and port 443 is properly forwarded to the internal server IP (192.168.100.252) using the “Port Redirection” settings.
• The router also runs a built-in VPN service, which previously caused conflicts with port 443. However, the VPN service has been stopped to avoid interference.
- Testing Results:
• Tools like YouGetSignal confirm that port 443 is open.
• However, accessing the site via https://izer.info results in a “Certificate Authority Invalid” error in browsers. Additionally, SSL Labs reports:
• “Alternate names not found in the certificate” – indicating that the certificate does not match the domain name.
• The certificate presented sometimes appears to be the router’s default SSL certificate (Vigor Router issued by Draytek) instead of the Let’s Encrypt certificate.
- SSL Certificate Details:
• The Let’s Encrypt certificate seems to lack a “Subject Alternative Name” (SAN) for izer.info, which may be causing mismatches during validation.
• Despite recreating the certificate multiple times with WACS.exe (including with --nocache), the problem persists.
Steps Taken So Far
-
Verified DNS records and ensured the A record for izer.info points to the correct public IP.
-
Cleaned up old certificates from the server and reinstalled the Let’s Encrypt certificate.
-
Disabled the Draytek VPN service to free up port 443.
-
Adjusted NAT rules on the router, ensuring that port 443 is directed to the correct internal IP.
-
Imported intermediate certificates from Let’s Encrypt to Windows Server.
-
Tested with tools like SSL Labs, which continue to show issues with alternate names and certificate matching.
Request for Assistance
- Draytek 3900 Configuration:
• Are there any specific settings on the Draytek 3900 router that could cause SSL certificates to be overridden by the router’s default certificate?
• How can I ensure that the Let’s Encrypt certificate is presented to external requests instead of the Draytek’s own certificate?
- SSL Configuration on Windows Server:
• Are there additional steps to properly bind the certificate to IIS to ensure that the correct certificate is used for HTTPS traffic?
• Is there a way to verify and resolve issues with SAN (Subject Alternative Name) in Let’s Encrypt certificates generated using WACS.exe?
Any guidance or suggestions to resolve this issue would be greatly appreciated. Thank you for your time and support.
Kind regards,
Kadri İzer.
My domain is: izer.info
I ran this command: win-acme (latest ver)
It produced this output:
My web server is (include version): IIS 10
The operating system my web server runs on is (include version): Windows 2019
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
