Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: https://ncwrp.seuk.it/
My web server is (include version): IIS10
The operating system my web server runs on is (include version): Windows Server 2016
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): Win Acme v2.1.19.1142
I have experienced some problems with the certificate chain since a server was cloned, and also problems with android devices since the expiration of the root certificate DST Root CA X3.
Firstly I`m a bit confused as to what chain the server is serving:
https://www.ssllabs.com/ssltest/analyze.html?d=ncwrp.seuk.it
Says that it is wtn.seuk.it -> R3 -> ISRG Root X1 Self-signed
Says that it is wtn.seuk.it -> R3 (expired) -> DST Root CA X3 (expired)
Secondly, I believe I want to serve the longer chain to be compatible with older android devices. My personal phone is locked on Android 7 and showing certificate errors on the browser.. Plus we have android apps which connect to our server, which has experienced intermittent errors and app crashes since the root cert expired.
I`m not sure how to go about specifying which chain to serve in Win-Acme (apparently you can on the version I am using). I previously made this post, and I did configure it to serve the longer chain by installing that certificate (this was done prior to the expiry of the root); however there was a server clone performed and the certificates had to be re-issued. Since then I have had trouble re-setting up this chain.
Any advice on what I am doing wrong and how to serve the correct chain would be appreciated.