Way to get WinXP to Work with Lets' Encrypt Cert? [URGENT]

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: orderinout.com

I ran this command: Can’t connect in IE or chrome. https://www.ssllabs.com/ssltest/analyze.html?d=orderinout.com&s=54.243.32.119

It produced this output: Webpge can’t be found when trying to reach it from XP - it can be reached from other newer systems.

My web server is (include version): AdobeAIR 21.3

The operating system my web server runs on is (include version): Winxp SP3

My hosting provider, if applicable, is: Heroku Auto-Manage

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

We are unable to replace all these legacy systems so I’m looking for a work around. That could be putting a proxy system on windows xp and forwarding it out or install root certs onto Winxp. Let me know.

If there is a way to get a different SSL cert – I’ll pay for it.

Thanks!

Casey

Wow, AdobeAIR — haven’t heard that name in a while.

Anyway, your problem is actually really confusing for me, since Windows XP SP3 is totally compatible with Let’s Encrypt certificates (assuming you’ve updated the systems in the past year or so), as written in the documentation.

If you’re using Internet Explorer, the most updated version includes the IdenTrust/DST root certificate, which will allow all Let’s Encrypt certificates to be trusted automatically. If you’re using another browser, such as Firefox or Chrome, they’ve included the certificate for much longer and your site should work just fine on even the oldest systems.

Letting me know what browser you’re using will really help. It may even be as simple as clearing your browser cache or flushing your DNS, as both of these things could prevent access to your site.

I suggest just testing the site on all of your legacy systems — if it doesn’t work on all of them, it could be a network configuration issue (or even just that the systems are not updated).

Your Apache server SSL configuration is incompatible with all versions of Internet Explorer on Windows XP. You will need to modify the ciphersuites and possibly TLS versions in your Apache configuration to permit these connections.

Mozilla has a neat SSL configuration generator you can use to help you modify your configuration:

https://mozilla.github.io/server-side-tls/ssl-config-generator/

For compatibility with Internet Explorer 7 and 8 on Windows XP, use the Intermediate configuration. For compatibility with Internet Explorer 6, use the Old configuration.

Please note that if you process credit cards on your site the Old configuration is not PCI compliant. It is not possible to support IE6 on Windows XP and process credit cards compliantly.

2 Likes

AdobeAir seems to run on however IE is setup. Only TLS 1.0 is only protocol enabled inside of IE8.

Windows XP Professional SP3. Update yields - No critical updates found.

I have cleared the arpcache.
netsh interface ip delete arpcache

Also SSL state.

While Mozilla’s config generator doesn’t seem to support Adobe AIR, it should at least give you an idea of the protocols and ciphersuites you’ll need to enable.

Additionally, your server currently seems to be configured to reject connections without SNI, which IE on XP doesn’t support. So you’ll need to change that configuration, and if you have more than one certificate on the server, you’ll have to make sure the correct one is the default.

I have no idea how to achieve any of that with Adobe AIR though, sorry (edit: and if you’re using a managed service it might not even be possible).

Can you install another browser on the client machines? AFAIK Firefox 52 ESR should still work on XP and might not have the same issues. (However even that won’t get updated after May 2018, so like everything else on XP it’s a temporary solution at best).

If heroku is out hosting provider and we are using the auto enable managed SSL. Can I even make changes to the Apache config file? Will those even survive a scale-up or scale down?

Heroku doesn’t support changing the TLS configuration with their free automatic SSL support. You can only do this with the $20/month SSL Endpoint service. :cry:

Brutal. I’m looking for docs on herokus ssl config file with their endpoint product but coming up empty? Is it safe to assume that the SSL cert itself is what will provision what Apache will and will not accept?

I can’t wait to pull these boxes from the field. This is crazy.

So they don’t have any automated way to change the SSL configuration; you have to ask support to change the security policy on the AWS Elastic Load Balancer they provision for you.

And unfortunately the SSL Endpoint service doesn’t integrate with Let’s Encrypt automatically, so you would have to use a third-party integration (such as this one for Rails), manually change your certificate every three months, or buy a certificate from a commercial CA.

With those two caveats in mind I think it would be easier for you to give CloudFlare or a similar service your $20/month instead. CloudFlare’s free plan doesn’t support SSL on Windows XP but any paid plan including the $20/month Pro plan will support IE8/XP just fine with less manual effort than trying to get Heroku to do it.

I might be confused. The guy before me had certs (paid) for and had them running on heroku. Those sites were available before. Can’t I just replace Let’sencypt certs with the old ones and be done with it?

To add certs to Heroku it takes 3 lines of code or am I missing something?

Why pay cloud-flare all those additional fees? Bandwith, total requests and so on. Heroku is paid good money they should just do it - no?

Thanks!

Casey

It’s hard to say. Windows XP compatibility is mostly about web server configuration – enabling things that are obsolete and less secure – rather than anything related to certificates.

Certainly the the websites’ use of SNI, cipher suite configuration, and maybe having SSL 3 disabled, will be a compatibility issue with IE on XP. And none of those factors are related to the CA.

For a variety of reasons, many hosting companies are phasing out extremely obsolete configurations, so it’s getting harder to continue using them.

Maybe something else changed when you replaced the certificate?

Maybe Adobe disables some CAs, affecting Let’s Encrypt?

What exactly is the error message, anyway?

There is no error in adobe air it’s simply not able to connect. Yet the newer systems with AdobeAir are able to connect.

However when I try to reach-out to the URL endpoint within the older machines IE it won’t work. But does work with newer machines.

I’m able to test in the office. New machines work. Old machines get blocked.

I think it might be important to note that the xp box is the client.

It’s possible that switching certificates switched your dyno to new infrastructure that doesn’t support Windows XP. It’s certainly possible that switching back to a custom certificate would revert your dyno back to older infrastructure that still supports Windows XP. It just as possible that you will stay on that new infrastructure even when switching back to your custom certificate though.

It’s weird that it worked before, because their documentation seems to indicate that the free SSL plan has never worked with Windows XP, either with custom certificates or Let’s Encrypt ones. Are you sure you weren’t using the paid SSL add-on before? If you created your dyno with paid SSL before the particular date Amazon AWS changed the default security policy for ELB you would have gotten Windows XP support without asking for it…

At any rate, I’d suggest contacting Heroku Support if it worked before. Maybe they can do something they haven’t documented.

Talked with Heroku support.

  • ELB no longer supports XP/IE8
  • They said I was on a grandfathered policy and can’t go back. 1/2 our systems are offline right.
  • They are telling me they may not be able to fix it. LOL

Anyone have any ideas. This is complete bs – we just had a legacy account with an endpoint and had not clue this would be an irrevocable change.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.