Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Also, The web service provider we are getting this error from has provided us with 3 certs, Server, Root, intermediate, i've installed them on our windows store, but unclear why we are still getting this error when we try to connect.
i'm not sure i've filled out this post correctly, our domain isn't the issue, the issue is our software is no longer able to connect to another companies web services.
That ball in their court to get fixed I suspect.
I realize that you too have an issue with the fact that the connection between the two of you is “broken” at this time.
it's a government agency, can't get more specific than that unfortunately. our connection to them was working until 2 days ago and now we get this error every time we try to connect to their web services. I'm wondering do we need to install the certs they gave us into our browser or somewhere else, we've already installed them in our windows certificate store under both Current User and Local Computer.
Also more details on how and / or where these certificates were pulled in to the Windows store (as there are different ways and locations that the certificates could have been installed to)?
Yeah, i've emailed several times over last few days and gotten minimal response. and the response i get is this.
We have updated our internal certificates, and it looks like you may need to update the SSL certificates on your system to communicate with us. You can locate the updated SSL certificates on IRS.gov. Once you are on IRS.gov, search for the MeF Guides and Publications page where the certificates will be on the main page, ready to be downloaded.
That site does not use certificates issued by the Let's Encrypt certificate authority. Is there a particular reason that you have decided that this community forum that exisis to help people with certificate issuance from the Let's Encrypt CA is the correct place to seek assistance?
@jamiebray The email you got said you need to apply the certs from this page to your system. I am not sure what we should do with these instructions or why this is related to Let's Encrypt.
But, did you do what they asked with the SSL Certificates section on this page?
we installed all 3 certs into i think the correct windows store (Not positive they are the correct stores) With no instructions from them it's a guessing game. Did just get a new email from them.
" The error message suggests that they probably installed the certificates under the wrong types, since la.www4.irs.gov is the server cert rather than an authority (both root and intermediate certs are certificate authorities, but server certs aren’t). The ISRG certificate should be installed under Root and the Let’s Encrypt one under intermediate."
My response email to them.
ServerCertificate.cer What Store does it get installed to? Current User --> FolderName or Local Computer --> FolderName
Root.cer What Store does it get installed to? Current User --> FolderName or Local Computer --> FolderName
Intermediate.cer What Store does it get installed to? Current User --> FolderName or Local Computer --> FolderName
Is that the domain you are trying to connect to? If so, which port? Just with https and default port 443?
If so, that uses a standard Let's Encrypt (RSA) cert and any properly running Windows system should validate connections to it properly.
Note you should not install any intermediate cert anywhere. You need to have the ISRG Root X1 in the CA store used by whatever client access software you use. Windows usually takes care of this.
What client program are you using to access that domain? I am not a Windows expert (and especially not a 2012 version). But, do you know where your client program is looking for root certs?