Certificate warnings for installation on IIS

#1

Hello,

I have installed LetsEncrypt certificates on several IIS Version 10 .NET nodes, where the solution DNNsoftware.com is running on. The result of the certificates is not consistent: Only one node (technically a IIS website) can be reached on different Windows 10 PCs as well as on a Android phone, without prior certificate security warnings.

But there are nodes, which websites can be displayed successfully on one Windows PC with Chrome, while the same website displays a dialog with “Microsoft-Organization-Access” to confirm with Chrome on a different Windows PC. Also the Android phone shows the warning dialog on 2 different browsers.

My goal is, to display any website on any customer device, without prior dialog box, just like letsencrypt.org is appearing on my screen.

The certificates have been created via PowerShell locally on the productive webserver with success, no errors. All traffic is redirected from http to https within IIS via URL Rewrite rule. Is there any detail, I might have forgotten, or which has to be verified in addition?

Many thanks for your help.

Patrick

#2

Hi @EncryptMan,

Could you give us an example of a site that doesn’t work, as well as the address of the site that does work?

#3

Many thanks Schoen for your reply,

With pleasure I give you two website links. Both of them are based on DNNsoftware.com, and as discussed, there is no Linux, only IIS 10 on top of Windows Server 2019:

This website works fine, a DNN site without any initial configuration:
Luzern.DNN365.com

And this website does not work for example in Chrome, on my Windows 10 PC, I am always initially prompted to confirm Microsoft-Organization-Access certificate. Similar warnings appear on 2 browsers on my Android phone:
Tokio.DNN365.com

I look forward to your feedback.

Patrick

#4

Both sites appear to be presenting valid LE certs including the intermediate cert chain. They get A ratings from ssllabs.com.

#5

I thank you, rmbolger for your positive input. I just re-tested the sites on a brandnew installed virtual machine with Windows 10, where the sites work with Chrome. What is your explanation for the fact, that not all Windows 10 PCs show the same result, as well as Android browsers display a certificate warning, even after clearing all browser data?

The only site, where the warning does not appear on the smartphone is for Luzern.DNN365.com

Many thanks for your help.

Patrick

#6

Hi @EncryptMan

the site has a correct certificate ( https://check-your-website.server-daten.de/?q=luzern.dnn365.com ):

CN=luzern.dnn365.com
	21.03.2019
	19.06.2019
expires in 85 days	luzern.dnn365.com - 1 entry

The chain is correct

Chain (complete)	
	1	CN=luzern.dnn365.com
	
	2	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US

So it may be only a caching problem.

Your www version has a dns entry, but doesn’t work. You should

  • remove the www entry (or)
  • create a certificate with both domain names and add a redirect www -> non-www.

The www isn’t really required. But if a user types www.luzern.dnn365.com, there should be (i) a dns error or (ii) a working answer.

#7

Many thanks Juergen for your help.
According to my posts, luzern.dnn365.com is working, as the only site, on all browsers, on all devices.

Other websites does only work with the restrictions, I already have posted.
Many thanks for checking the site, I made the same check with several websites, discovering, that the checking service is your own solution, Juergen, great :slight_smile:
I checked for example cctg.ch and under “Certificates” I get some few red points:

I don’t know, if a point like ‘missing a script file within a image gallery folder’ is critical for correct certificate.
Generally the site cctg.ch does not work on all browsers without cerfiticate warnings.
If it is a caching problem, why does other websites not show the issue in the same browser?
I thank you for your input.

Patrick

#8

Sorry, permuted the domains. But your other domain (checked yesterday, now you have rechecked that domain) has the same picture:

The certificate is ok:

CN=tokio.dnn365.com
	05.02.2019
	06.05.2019
expires in 41 days	cctg.ch, tokio.dnn365.com, www.cctg.ch - 3 entries

and the chain is correct:

Chain (complete)	
	1	CN=tokio.dnn365.com
	
	2	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US

No mixed content, nothing else.

Do you have a screenshot?

My Chrome is happy:

#9

It’s the Html-Content - part.

The link

https://cctg.ch/Portals/1-System/Skins/CCTG1/js/jquery.blueimp-gallery.min.js?cdv=146

doesn’t work - http status 404.

404 - File or directory not found.

The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.

I add checks if I think they are helpful. Not, if browsers show a warning.

If a page loads a script, that’s something that should work. So a http status 200 is expected, not a 404 - not found.

Same with canonical and http, if the site is https. Or og:image links to http, form action urls with a http status 500 etc.

#10

I am very lucky that you treat my issue seriously. If you allow me, to come back later, Juergen, I have to leave. I am in the same time zone as you, in Switzerland.
I will answer you asap.

Best regards
Patrick

#11

Many thanks Juergen for your input. Your last posted point concerning the link, that doesn’t work ending with a js-file, is important (many thanks), I prefere to resolve the certificate issue first.

I agree with you, that due to your correct data analysis within the service check-your-website.server-daten.de it might be a client side cashing problem.

We cannot influence customer side browsers and their possible cashing problems. Personally, I have never seen such cashing problems using SSL certificates, I ask myself how to be sure to have 100% correct website https-access on any customer device with no issue.

I send you my screenshot with the dialog you asked me for. This dialog apperas, as I want to access https://tokio.dnn365.com:

Screenshot_1

I look forward to your input.

Patrick

#12

Looks like a client side certificate, not server side.

Your server may send a request. So your browser shows your private / machine specific certificate.

#13

PS: IIS has an option

SSL

There it’s possible to say:

  • ignore
  • accept
  • required

Perhaps if there is “accept” selected, the browser shows that popup.

1 Like
#14

Yep, checked with my local test-IIS.

If my firefox has a local certificate and if I use “accept”, then a popup is shown.

1 Like
#15

Many thanks for your input Juergen. The Tokio Website wihin my IIS Server is switched to “Accept” on SSL Settings. It is interesting, that I never had any issue on Firefox with default settings. The above screenshot was taken on Chrome.

If my server sends a request for this client side certificate, I may have to re-configure some IIS settings. Have you got an idea, which settings I might need to change?

#16

Juergen, I discovered, that I need to switch SSL settings to “ignore” for correctly accept the certificate. Many thanks for your help.