Is anyone else experiencing issues with Let's Encrypt certificates and RDWeb/RDP Shortcuts.
Since last night, we have a number of customers using Let's Encrypt/Certify the Web Frontend that their RDP shortcuts stopped working due to the following error:
The digital signature of this RDP File cannot be verified. The remote connection cannot be started.
Looks like we can either republish the RD Shortcut to RDWeb, or edit the shortcut and remove the digital signature, but unsure why this has happened.
Also see its a common topic on Reddit:
Would be nice if anyone has a permanent fix for this.
I don't have any ideas but other volunteers might. I just wanted to suggest trying Certify The Web support or community as they have good experience with Windows-specific products
I have absolutely NO clue what RDWeb/RDP entails exactly (I know the abbreviation..) and I have no experience with Windows and Certify The Web, but could you perhaps explain more about the relationship between the Let's Encrypt end leaf certificate and the digital signature of the RD Shortcut? Because Let's Encrypt certificates cannot be used to sign other stuff. As far as I know, the only possible use is TLS Web Server Authentication and TLS Web Client Authentication as per the X509v3 Extended Key Usage extension. Although some sources claim the Digital Signature value in the X509v3 Key Usage should be enough? But I've never heard of LE certs being used for anything else than webserver/-client authentication.
If a certificate contains both a key usage extension and an extended
key usage extension, then both extensions MUST be processed
independently and the certificate MUST only be used for a purpose
consistent with both extensions. If there is no purpose consistent
with both extensions, then the certificate MUST NOT be used for any
purpose.
So I guess signing RDP files isn't consistent with both extensions, as it's not mentioned in the Extended Key Usage extension.
The OP in that reddit post noted they have Sectigo certificates. The comments all had LetsEncrypt certs.
This reads like there is some general issue with Windows that is not specific to LetsEncrypt.
Edit: Additional comments on that thread involve more Sectigo certificates. While it's possible the issue is limited to only those two providers, it is very likely that distribution is due to sampling bias. Considering people have solved this by downloading or regenerating files on the client, I am more convinced this is a Windows issue.
Hi @Octavaria I develop Certify The Web and I'm keen to investigate this a bit more. I don't manage an RDP gateway etc myself so I'm a bit fuzzy on what you mean by "Digital Signature on RDP File" (which implies to me the file is digitally signed, which is different from TLS issues) but I'll continue the discussion on Reddit. You can also send more info through to support {at} certifytheweb.com if you want to.