Generating Certificates on Windows and Exporting to pfSense - Missing Intermediates

Please fill out the fields below so we can help you better.

My domain is: kundencenter.dynamic1001.eu

I ran this command: letsencrypt software for windows server

It produced this output:

My operating system is (include version): Windows Server 2012 R2 Standard

My web server is (include version): IIS 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

I renewed SSL for kundencenter.dynamic1001.eu from Windows Server 2012 R2 Standard and bound in IIS 7. After that I exported certificate to pfsense HAProxy and removed it from IIS. While exporting I got Certificate Key and Private Key which I imported in pfsense.

Everything was working fine but ssllabs shows Chain issues Incomplete
So what can be issue?

hi @keval.shah

The issue is that you didn’t import the intermediate.

Depending on how you obtained the certificate and key and created the PFX would change what you need to do.

So please share:

• The client you are using to obtain the certificates
• The commands you ran with that client
• The command you ran to export the certificate (I am assuming it’s installed in IIS7)
• The commands you ran (if you did) to create a PFX file

There are too many options to help you otherwise as the fix is related to how you obtained the certificate

Once I know the above I can point you in the right direction

Andrei

You know that pfSense has its own ACME package, right? That package can be used to obtain certs directly on the pfSense box, rather than needing to obtain them somewhere else and load them onto the box. I’m pretty sure it automatically installs the intermediate cert as well, which is what’s causing your present issue.

Client - ACME Client for Windows - letsencrypt-win-simple
Commands - I just unpack setup and run letsencrypt.exe, and follow the messages in the input prompt. In which I select my site for which I want to renew SSL.
After that SSL is generated in IIS, so then I export from server certificates in IIS to .pfx file.
After that I convert .pfx file to .pem file for importing in pfsense.
For that process I use OpenSSL software and run following command in cmd - openssl pkcs12 -in -out …\certificate.pem -nodes
Now I open .pem file in notepad++ and copy certificate data key and private key in pfsense

Hi Keval

You should be able to obtain the intermediate certificate from here

https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

You can pasted that certificate in to the area that says intermediate.

@danb35 is right - you are doing this a fairly manual way.

Andrei

Hi Andrei
Thanks for your quick and great suggestion.

I clearly understood what @danb35 said, but here we don’t use ACME package in pfsense because our infra is little complicated so auto-renewal is not possible thats why we need to renew manually.

Now where should I paste intermediate certificate key, because website is configured in IIS and SSL is in pfsense.

Keval

hi @keval

Can you take a screenshot of the pfSense SSL configuration page I don’t have pfsense so can’t help out beyond pointing you to a manual

Andrei

Hi Andrei

Yaa sure

pfsense_cert_manager.png840×730 123 KB

Keval

You’d import the intermediate certificate on the CAs tab.

Hi @danb35

I haven’t imported intermediate certificate on the CAs tab.
I visited that tab and shows following form

Screenshot-1.png836×752 134 KB

There is no column for certificate data. So its like just fill details and save and intermediate certificate is generated??

Keval

No, you don’t want to generate an intermediate CA, you want to import one. What other options are there on the Method drop-down?

Hi @danb35

Screenshot-2.png788×570 26.8 KB

So here I need to paste intermediate CA key and what for serial certificate?

You’d paste the cert as certificate data (you don’t have the key), leave the serial blank.

Hi @danb35

As @ahaw021 told about the key
https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

Is it this one??

No, not the key. That isn't a key. You don't have the key. That is the certificate, and yes, that should be the one to use.

It may be possible to paste both the end-entity and the intermediate certificate (one after another) in the “Certificate data” field. I give this about an 80% chance of working properly.

I don’t think that will work properly in pfSense, actually–even if it works for the pfSense web GUI, if you’re using the cert for other purposes (like for a VPN connection), pfSense is going to need to keep track of the intermediate cert separately.

Hi @keval.shah

PFSense should do a better job of segragating Self Signing CAs (which will need a certificate and akey) and Public CAs such as Let’s Encrypt.

This article http://www.itnotes.eu/?p=3218 shows how to import a STart SSL CA intermediate

Note: you will use the X3 Intermediate link above instead of the Start SSL CA

Andrei

Hi @ahaw021 @danb35

Thanks a lot… Now let me test this and check if it goes well

Keval

Hello All

I got success and also got A+ ranking in ssllabs.
But I used different method, I didn’t pasted CA certificate in pfsense CA tab,
What I did that I pasted X3 global key (https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt) below certificate data key (which I got from IIS export) and pasted both keys in data tab and private key in its tab.

So finally its done, thanks @ahaw021 @danb35 @schoen

Keval