Staging Api not accessible from Server 2012 R2

Hi Guys,

We are having an issue with Accessing the Staging API ( https://acme-staging-v02.api.letsencrypt.org/directory) from Server 2012 r2! The server has TLS 1.2 enabled and it is set as the server's default. We have noticed that you have only enabled these three cipher suites for TLS 1.2

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

As these Cipher suites are not included in Server 2012 R2 does this mean that we need to upgrade the Server so we can use Staging API?

Thanks in Advance
Adnan Dragnic

Hi @Adi.d, and welcome to the LE community forum

Using: openssl s_client -connect acme-staging-v02.api.letsencrypt.org:443
I get:

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

Have you tried other sites for TLSv1.2 ?
Is this only a problem with this one site?

@rg305 That's one of the cipher suits mentioned by OP in his post, right? Not sure what you mean with your post to be honest

hmm...
I may have read that too fast (or thought too slowly) - LOL

FYI - with OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) I get

SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384

It's possible; You just need to enable the right ciphers in your Win2012R2 system:

Try updating the ciphers with Nartac IIS Crypto.
[requires reboot]

Here is a doc that lists the cipher suites supported by Windows 8.1 and 2012 R2. It does not include any of the three suites supported by the Staging endpoint.

@rg305's IIS Crypto recommendation is generally a good one. But it can't solve the fact that the OS just doesn't support those cipher suites even when fully patched. So any ACME client that relies on the OS's TLS stack won't work with the Staging server (and will eventually stop working against Production if/when they start restricting the ciphers there as well). I think @rg305's screenshot using OpenSSL only works because it does not use the OS's TLS stack.

Windows Server 2012 R2 went out of mainstream support 4 years ago (Oct 2018) and transitioned to extended support which means there will be no new features or capabilities added and only security updates released until extended support expires in October 2023.

So yeah, you're going to want to upgrade that OS sooner rather than later. If you absolutely need to use the Staging server from it, you'll have to find another ACME client that doesn't rely on the Windows TLS stack.

What do you mean it isn't supported?
I showed a picture of a Windows Server 2012 R2 connecting to the staging system.

You were using openssl which has its own TLS stack and doesn't rely on the OS's configuration or capabilities.

Try using something like PowerShell such as:

Invoke-RestMethod https://acme-staging-v02.api.letsencrypt.org/directory

I keep coloring outside the lines!!!

Then they will have to use a proxy!
2012r2 supports Hyper-V; So, it can be a local VM just for that.

We are currently testing a new TLS configuration in staging. We intend to support a larger set of ciphers than what you're seeing, which is surprising to me. It's possible that the new configuration has a mistake.

I will investigate. Thank you for pointing this out!

And to directly answer your question: Windows 2012 R2 is still getting fixes by Microsoft for the next year, so we should continue to support it for at least that long.

We've rolled back the change in staging (so it matches production.)

You should be able to use Windows 2012R2 against staging while we do further compatibility testing.

Thank you it is working now

Regards

I am glad to hear it. Thank you for making this post as well, as it alerted me to the problem. While we would have done more testing before going to production, it's quite possible we wouldn't have tested old versions of Windows and missed this incompatibility. I have a "Windows Server 2012R2 evaluation edition" VM now, so I'll make sure to test that specifically.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.