I’ve been tasked with setting up a test Exchange environment for my company and thought that letsencrypt would be a great fit. I was able to use the wonderful ACMESharp .NET/PowerShell Module to get my SAN cert generated. Once I had the cert, I installed it in my test Exchange server and all seems to be going well. I tested it that OWA works with Firefox, Chrome and IE. However, when I pointed my iPhone running iOS 9.3.1, I get the dreaded “Cannot Verify Server Identity” message. SSL Labs and other online SSL/TLS testing tools says my cert is installed properly. I did notice that although I have the Let’s Encrypt Authority X3 Intermediate installed properly, the signing Root CA, DST Root CA X3 is not presented by the server. Does that indicate that there is something wrong with my installation? If so, what can I do to resolve this? Obviously, this system is running IIS, and is running on Server 2008 (non-R2 - long story on that…)
FWIW - I see that SSL Labs reports:
Apple ATS 9 / iOS 9 R
Protocol or cipher suite mismatch
RSA 2048 (SHA256) | TLS 1.0 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | ECDH secp256r1
However, I get the same results on our production server, only that iOS doesn’t complain there… Production currently is protected by a commercially purchased SAN/UCC certificate.
Thanks in advance for any insight.