Let's Encrypt SSL is not verified by some browsers


#1

Please fill out the fields below so we can help you better.

My domain is:customercenter2.dynamic1001.eu

I ran this command: Purchased using Letsencrypt software in Windows Server 2012 R2

It produced this output: Congratulations, Your SSL is renewed

My operating system is (include version): Windows Server 2012 R2

My web server is (include version): IIS 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

hi @keval.shah

if you review the SSL labs results you will see you are not serving up an intermediate https://www.ssllabs.com/ssltest/analyze.html?d=customercenter2.dynamic1001.eu&hideResults=on

some browsers have the letsencrypt intermediate but it is best practise to install it and serve it up

this can be downloaded from here https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem

rename the certificate to .cer or .crt and double click to install it

you can confirm that it is being served up

This is an extra step needed with windows as by deafult windows server 2012 r2 includes few intermediates

Andrei


#3

you also have SNI

This site works only in browsers with SNI support.

which is a good thing but does require the browser to support it

Andrei


#4

It isn’t necessary a “good thing”, IP based virtual hosting is always better of course… But… Do you know any semi-modern browser which doesn’t implement SNI?


Self signed SSL/TLS certificate
#5

you are correct - it was an opinion and no I am not aware of any modern browsers that do not support SNI


#6

Thanks a lot everyone for great support.
But this issue is not only in one site or one browser, I have got many different sites which are not supported in some versions of browsers and even in mobile devices also.

So I want to know that issue is in browsers or SSL or programming of sites??

Here I attached 1 more example…
OS - Windows 8.1
Browser version - Safari 5.1.7


#7

As @ahaw021 already said: your site doesn’t serve the intermediate certificated, needed to fully chain the end leaf certificate to the root.

Normally, we would just tell you to use fullchain.pem in stead of cert.pem, but that’s on regular *NIX based operating systems and you’re running Windows.

The tip of @ahaw021 to download and install the intermediate certificate on your client won’t suffice: you’ll need to install and use the intermediate on your server, otherwise other people using your site won’t benifit obviously…

How? Well… B/c of your OS (Windows), I have no idea. I guess you should search for that yourself I’m afraid…


#8

Yes I always use only fullchain.pem and privkey.pem when I renew it from Linux server. So now I need to check for intermediate certificate while using Windows Server. Right?


#9

Yes.   


#10

@keval.shah, hopefully the software that you used provided the intermediate certificate.

A not-very-long-term solution if not is to use the IdentTrust-signed X3 intermediate certificate from

https://letsencrypt.org/certificates/

That will be your chain certificate, but this isn’t a good solution in comparison to having software provide this for you because eventually the chain certificate for future certificates will change.


#11

Hi kaval

you are still not issuing the intermediate certificate

as @osiris said you can obtain the intermediate certificate and install it on your server

you can use MMC to confirm this is installed

Andrei


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.