SSL Certificate error iis

Hi

After configuring my server to use Let’s Encrypt certificate. It working perfectly fine on Google Chrome desktop browser.

But on android google chrome I have getting error.


the server us iis

You’re using, sort of, the “wrong” intermediate certificate:

Certificate chain
 0 s:/CN=ebank.reb.sy
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1

While the ISRG Root X1 is indeed the root certificate of Let’s Encrypt itself, it’s currently not present in all root certificate stores. Some, like Mozilla (and apparently Chrome too), do have it included (only recently), but others like Android or Internet Explorer don’t.

Therefore, Let’s Encrypt has cross-signed their intermediate certificates with the DST Root CA X3 (IdenTrust) certificate. That root certificate is present in mostly all root certificate stores.

You can read more about the cross-signing here: https://letsencrypt.org/certificates/

To mitigate your current problem, you’ll need to send the following intermediate (see site above): “Let’s Encrypt Authority X3 (IdenTrust cross-signed)”.

How to do that on IIS? That, I don’t know…

Follow the instructions in step 1 of this guide to access the certificate manager for the system user:

https://support.microsoft.com/en-us/help/954755/how-to-configure-intermediate-certificates-on-a-computer-that-is-runni

Before completing step 2, look in Intermediate Certificate Authorities for any entries starting with Let’s Encrypt Authority and delete them.

Then follow the instructions in step 2 to import the correct intermediate, which you can download here. (Change the file extension to .cer or choose All Files (*.*) to use the PEM file with the certificate manager.)

1 Like

same result, but if the let 's encrypt certificate install on Linux it
works fine on the Android browser, in addition, two firefoxes on Android
work fine with Apache and IIS.

You're still sending the ISRG Root signed intermediate.

I do all the steps before please can you provide me full details to solve
this issue.

You were very careful to follow the specific instructions to get to the certificate manager for the system user, correct? (If you just shortcut into the Certificate Manager in the Start Menu you will not affect the right certificate store.)

What program or website did you use to obtain your certificate?

Did you allow that program to install the certificate for you automatically or did you install it manually?

If you installed it manually, what steps did you take to install it into IIS? Do you remember the name of the file(s) you imported or still have a copy of them?

I generate a certificate and import it to personal by use MMC o windows
then I select the certificate under IIS web server to assign to our
website.

have a look at this article

https://www.linkedin.com/pulse/lets-encrypt-part-1-issuing-installing-certificates-andrei-hawke/

looks like you got things sorted.

@allam
Are you using any windows client for generating certificates ?

yes we use https://zerossl.com/

hello I am very new here- and also new to SSL problems ! I am working on a wordpress site and was blocked out from my site due to the same errormessage as here - and found I need a ssl certificate

  • I am on a danish group who refered me to this group.
    Can anyone help and totally newbie who needs a SSLcentification ?
    I have no idea of what to do and how - when it comes to this and would apprecaite some help
    Thanx in advance :wink:
    Rise

@rise
please do not hijack this thread. please try opening another thread

@allam
for windows 2012 r2 i am using letsencrypt-win-simple . try using it

You used the LE32.exe or LE64.exe downloads and not their online wizard?

Did you pass the --export-pfx option to it in order to generate a PFX file for IIS or did you import some other file it generated?

I didn’t use the LE32.exe or LE64.exe downloads I enable check export pfx

Thanks, it was important to confirm you were following a procedure that would import the right intermediate.

I guess this is a similar issue to one previously where even following Microsoft’s procedure was not good enough.

Try following the instructions in this thread except you need to delete the Let’s Encrypt Authority X3 instead of the old X1 intermediate described there. Go ahead and import the correct X3 intermediate you downloaded earlier as it suggests as well.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.