pfg
March 31, 2016, 7:59pm
2
Your site is sending an outdated intermediate certificate. Let's Encrypt recently switched to a new intermediate certificate to fix issues for Windows XP users. The old intermediate certificate is called Let's Encrypt Authority X1, the new one is called Let's Encrypt Authority X3.
This has come up a couple of times for IIS and/or ACMESharp users. There's an open issue for ACMESharp here:
opened 08:13PM - 28 Mar 16 UTC
closed 11:48AM - 18 Jun 16 UTC
After installing the certificate on my server I get the following problem:
The s… erver certificate is signed by Issuer "Let's Encrypt Authority X3". The certificate in the chain is unfortunately "Let's Encrypt Authority X1". Is this a LetsEncrypt or an ACMESharp issue?
The Powershell script for generating the certificate:
``````
# set parameters
$domain = "example.com"
$certificiatePassword = "abcd1234"
$email = "info@example.com"
$vault = "D:\Vault\{0}\{1}" -f $domain, [guid]::NewGuid()
$acmechallengedir = "C:\inetpub\wwwroot\.well-known\acme-challenge\"
# include ACMEsharp
Set-ExecutionPolicy Unrestricted
Import-Module ACMEsharp.psd1
# make dir vault
mkdir $vault
d:
cd $vault
# initialize ACMEVault
Initialize-ACMEVault -force -BaseURI https://acme-v01.api.letsencrypt.org/directory
New-ACMERegistration -Contacts mailto:$email -AcceptTos
New-ACMEIdentifier -Dns $domain -Alias dns1
$completedChallenge = Complete-ACMEChallenge dns1 -ChallengeType http-01 -Handler manual
$challengeAnswer = ($completedChallenge.Challenges | Where-Object { $_.Type -eq "http-01" }).Challenge
# save token to file
$challengeFile = $acmechallengedir + $challengeAnswer.Token
$challengeContent = $challengeAnswer.FileContent
[System.IO.File]::WriteAllText($challengeFile, $challengeContent)
# submit challenge
$challenge = Submit-ACMEChallenge -Ref dns1 -Challenge http-01
Write-Host $challenge
While ($challenge.Status -eq "pending") {
Start-Sleep -m 500 # wait half a second before trying
Write-Host "Status is still 'pending', waiting for it to change..."
$challenge = Update-ACMEIdentifier -Ref dns1
Write-Host $challenge
}
#get certificate
New-ACMECertificate -Identifier dns1 -Alias cert1 -Generate
$certificateInfo = Submit-ACMECertificate -Ref cert1
While([string]::IsNullOrEmpty($certificateInfo.IssuerSerialNumber)) {
Start-Sleep -m 500 # wait half a second before trying
Write-Host "IssuerSerialNumber is not set yet, waiting for it to be populated..."
$certificateInfo = Update-ACMECertificate -Ref cert1
}
$CertFile = $vault + "\cert1-all.pfx"
Get-ACMECertificate -Ref cert1 -ExportPkcs12 $CertFile -CertificatePassword $certificiatePassword
#install certificate
certutil -p $certificiatePassword -importpfx $CertFile
Write-Host "All done, there's a cert1-all.pfx file in $vault with password $certificiatePassword"
Write-Host "Import of certificate is completed"
```_
``````
This post suggests deleting the old intermediate certificate fixes the issue:
You can verify the fix using SSL Labs (you'll want to get rid of "This server's certificate chain is incomplete. Grade capped to B.").