Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Also i downloaded the * Certificate details (signed by ISRG Root X2)
Certificate details (cross-signed by ISRG Root X1) from this url Chains of Trust - Let's Encrypt and uploaded to the intermedia certificate autority on the server but still the issue persist. I can generate the certificate as i would like to implement the tls 1.2.
My domain is: onlineshop-qa.hajoona-development.de
The certificate currently being served is correct. "unable to get local issuer certificate" implies the machine your are testing on does not have an up to date ca-certificate bundle for openssl.e.g it doesn't know ISRG Root X1 or ISRG Root X2.
The goal is to disable the tls1.0 and 1.1 and only allow tls1.2 but recently when we turned off the 1.0 and 1.1 the website was not accessable anymore and we have to turn on the tls 1.0 and 1.1.
the website connection is with tls1.2 but when we turn the older version of tls the website is not accessable anymore.
+1 on using IIS Crypto to configure your TLS protocol and cipher suites. Also be aware that if your server 2019 was an in-place upgrade from an older version of windows some important TLS ciphers may not be enabled, particular common ECDSA ones. If you don't enable the required cipher suites then the clients cannot establish a common cipher suite to communicate with.
You could switch your certificate key to RSA instead of EC, which would let you use RSA specific cipher suites.
As an aside, note that the developer of win-acme has forked the project into simple-acme and I'd expect that will get more updates in the future. Other windows based clients are also available
We regularly update the server and it is upto date.
which cipher suites does tls 1.2 required. Have any suggestion of link where i can find this information. We have enabled the SSL Cipher Suite Order policy and add many cipher but maybe we are missing some that are missing for tls 1.2.
right now we are not testing just doing the research to avoid the website not accessible issue. When we were testing we disabled the tls 1.0 and 1.1 also disabled weak cipher and only enabled tls 1.2 and when restarted the server the website was not accessible to anyone over internet. Now the changes are reverted and tls 1.0 and 1.1 and 1.2 is enabled and that is why the website can be accessed.
I'd recommend snapshotting your VM and use it to create a test system, then connect to that by editing your hosts file to point the domain to the test VM IP. Then you can freely test changes without affecting production.