I have setup certificates for use with my IIS10 website using letsencrypt-win-simple. Worked like a charm.
The site comes up in Edge OK, but not in Chrome and Firefox. I get ERR_CONNECTION_RESET. Must have something to do with the site’s setup, but cannot find out what the problem is.
Could somebody please get me going?


It looks as if you have a very limited set of ciphers ( just 2 - ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA256 ) which not all browsers / systems support - and if they don’t support it, you will get that error.


Thanks for helping!
I indeed had only a few ciphers set. When I expand this to best practices in IISCrypto it’s OK in Firefox but in Chrome I get “Unsafe”.
Maybe some are blacklisted?
These are my cipher sets right now:

#4 is a good site for showing which ciphers etc are appropriate for your site ( depending on what you want to achieve ). You can also test at


The mozilla generator is the best, used it for generating ciphers for webs, mail and works like a charm :wink:


The cause seems to be Mixed content. Some links to fonts in my website are not secure. I use and it seems to have insecure links I cannot control. So no problem with letsencrypt!
Thanks everyone.


Use a CSP (content security policy) to specify which external resources are allowed to be loaded. If you use wordpress you can use this plugin for CSP

You can see how one of my CSP’s looks like at

And then use this site to test and further strengthen your security headers

Don’t get a fright when you see a big red F, easy to fix and add all the required headers, wordpress plugins available for achieving all of this to get you an A score but stay away from HPKP altogether as it is not supported by LE and can brick your domain for good so don’t chase getting an A+. If it interests you I send the X headers using Nginx instead of a wordpress plugin and then use the CSP Plugin above to first run in logging mode, then create the rules needed and then enforce the policy.

For Nginx (in a server {} block)

 # Add X Headers
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";

You can then also double check your policy in Chrome by View > Developer > Developer Tools > Security then reloading your page(s) and see if it shows you any Non-Secure Origins. Here’s a write up I did on it


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.