Win 2012 Could not establish secure channel for SSL/TLS with authority

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://www.surelync.com

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):windows server 2012 R2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi @jamiebray,

This is what I see with Safari on an iPhone.

2 Likes

Also, The web service provider we are getting this error from has provided us with 3 certs, Server, Root, intermediate, i've installed them on our windows store, but unclear why we are still getting this error when we try to connect.

Here is what is presently being served SSL Checker

Edit

And SSL Server Test: www.surelync.com (Powered by Qualys SSL Labs)

2 Likes

i'm not sure i've filled out this post correctly, our domain isn't the issue, the issue is our software is no longer able to connect to another companies web services.

Sorry, i'm new here.

the other company is using a new cert and we are getting this error when we try to connect to their services.

That ball in their court to get fixed I suspect.
I realize that you too have an issue with the fact that the connection between the two of you is “broken” at this time.

What is the other company’s domain name?

2 Likes

it's a government agency, can't get more specific than that unfortunately. our connection to them was working until 2 days ago and now we get this error every time we try to connect to their web services. I'm wondering do we need to install the certs they gave us into our browser or somewhere else, we've already installed them in our windows certificate store under both Current User and Local Computer.

Can you post those certificates?

Also more details on how and / or where these certificates were pulled in to the Windows store (as there are different ways and locations that the certificates could have been installed to)?

1 Like

I believe that they are the best ones to answer your questions.

1 Like

Yeah, i've emailed several times over last few days and gotten minimal response. and the response i get is this.

We have updated our internal certificates, and it looks like you may need to update the SSL certificates on your system to communicate with us. You can locate the updated SSL certificates on IRS.gov. Once you are on IRS.gov, search for the MeF Guides and Publications page where the certificates will be on the main page, ready to be downloaded.

That site does not use certificates issued by the Let's Encrypt certificate authority. Is there a particular reason that you have decided that this community forum that exisis to help people with certificate issuance from the Let's Encrypt CA is the correct place to seek assistance?

4 Likes

This certificate was issued Let’s Encrypt

-----BEGIN CERTIFICATE-----
MIIFJjCCBA6gAwIBAgISBPyq8FWy3JUPWWDBEupM3Ay0MA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTAwHhcNMjQwODA2MTY0MjE3WhcNMjQxMTA0MTY0MjE2WjAaMRgwFgYDVQQD
Ew9sYS53d3c0Lmlycy5nb3YwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCyxUTIVGXG3Zr5PFxO9UjsSAq/GAjObYnIVDiy5fO4IRTjP2JmL4mo1SjWsP5b
Z5ypYvoQlQu+uI2SuDiN+mbCjn90pkRzx+kJw0z2hZC5wP5KjlbDtz+/1Y8iS3CD
Zw20pVR/09/0ZFS26+V/ZSdVXEMDKNNjVegePeB5XFlFZC1wGWVbxNuY5H66NAme
e8b5WTT9G7MjHXert1Ea/+H2DZjEzMBjiu1i+jhypfg45S+20CAQlARAusGPtnSO
mVuIML/EmX+G1Bnjw6+dn1KtNpT6cO0NjSWnzO7Hiq7yVmZ86NwvTSU6KH4WMWEa
XjwaNTBEF5myDrOgtCqfiHdhAgMBAAGjggJLMIICRzAOBgNVHQ8BAf8EBAMCBaAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD
VR0OBBYEFIUI3nKIPVDPbQKOOmBdlR52MTVRMB8GA1UdIwQYMBaAFLu8w0el5Lyp
xsOkcgwQjaI14cjoMFcGCCsGAQUFBwEBBEswSTAiBggrBgEFBQcwAYYWaHR0cDov
L3IxMC5vLmxlbmNyLm9yZzAjBggrBgEFBQcwAoYXaHR0cDovL3IxMC5pLmxlbmNy
Lm9yZy8wUAYDVR0RBEkwR4IQYXBpLnd3dzQuaXJzLmdvdoIPbGEud3d3NC5pcnMu
Z292ghBsYTEud3d3NC5pcnMuZ292ghBsYTIud3d3NC5pcnMuZ292MBMGA1UdIAQM
MAowCAYGZ4EMAQIBMIIBBgYKKwYBBAHWeQIEAgSB9wSB9ADyAHcAPxdLT9ciR1iU
HWUchL4NEu2QN38fhWrrwb8ohez4ZG4AAAGRKMd91AAABAMASDBGAiEAgZDhWVmg
vm+w38amdraHXjJyjRZPjAMr7+iIgGmfAEkCIQCmg00/wfFGSL1FxHvPQ+JNAdaf
qtYkqq7n9jryfXMjYwB3AHb/iD8KtvuVUcJhzPWHujS0pM27KdxoQgqf5mdMWjp0
AAABkSjHfiIAAAQDAEgwRgIhALCaVK8o4rdyeNiOjZGp9QjLFnFOWSalSGxIJdpj
CtCqAiEA8S6n1Qp46DSPzLdzNh8hi7YUydt1ivkEwtc7f2sKj+EwDQYJKoZIhvcN
AQELBQADggEBAH2OQYVpB+908HzJT176EntoMb/4G+kTR/bZ9IwPiJcc7OrBMJOk
qLAXltvMNspcuB5EcwYQ780y/XseNGeFPJp8j/4xH3gvlh8azJE+FZw6ptn7X3v8
XepkoEgZxApZS7Acu1ujnnMFjuUOeQpBXr5/dliynHGTvuHE77VXHIb7QYD/XyOt
YQhA2rZKPags2fk04PfMFS2BnRhY5NNTyrIWelxoU3WrGCX1YwkJGU00QceCZUnY
8BURvnWy3YTkhiOU2w3P4ch7dFEGj6qBz5gVAmBs+BtW+0s+HMZ+GsR0QiqSEFdK
0eomki8MmCizgiAP4uumzOrG39Y9KgtKjIU=
-----END CERTIFICATE-----

Edit
And it looks like it expires in 17 days.

Edit 2
And this one expires in 39 days and is not from Let’s Encrypt.

-----BEGIN CERTIFICATE-----
MIIHIjCCBgqgAwIBAgIQRacX6x9LneYDomF0XzFKZTANBgkqhkiG9w0BAQsFADCB
ujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT
H1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy
MDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwG
A1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0y
MzEwMjYyMDExNDZaFw0yNDExMjYyMDExNDVaMH4xCzAJBgNVBAYTAlVTMRYwFAYD
VQQIEw1XZXN0IFZpcmdpbmlhMRYwFAYDVQQHEw1LZWFybmV5c3ZpbGxlMSEwHwYD
VQQKExhJbnRlcm5hbCBSZXZlbnVlIFNlcnZpY2UxHDAaBgNVBAMTE2xhLmFsdC53
d3c0Lmlycy5nb3YwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDsBTT
svBT3HZhLYOM6ukbgKiJqhU3RDhWTVvdA4a1lUfieOG1hJJ71iexP+fngjq8P4BH
eGXf80jPuJwm+9nbW6brRE9fTh07uKpseR5amwwzuCRpJQhWEfHGFMkPcZqe1nsF
bythCeMTU6xSZ+vJQvBxewz2HLkrMS6qYe5jF2G/XwHKt9YZXMSLvDQMOhBVTuTk
qDCHJZ1lvpRWHuf/8MIzL5HM4MR/AsL/8Oj3jvoJ5E2Llz1+WNdjYCYsoC4mh3XK
JyZR6vqjli1fUwOM3/OTSbVj3a7EFMn5c8YGOcRHyN1WAwGqBPvP9eRg/chW9BU5
PLE9E6UtbLG73B3NAgMBAAGjggNdMIIDWTAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
BBR8Q9ZCr4weT8ItKw66miXBqIWbFDAfBgNVHSMEGDAWgBSConB03bxTP8971PfN
f6dgxgpMvzBoBggrBgEFBQcBAQRcMFowIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3Nw
LmVudHJ1c3QubmV0MDMGCCsGAQUFBzAChidodHRwOi8vYWlhLmVudHJ1c3QubmV0
L2wxay1jaGFpbjI1Ni5jZXIwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5l
bnRydXN0Lm5ldC9sZXZlbDFrLmNybDCBowYDVR0RBIGbMIGYghNsYS5hbHQud3d3
NC5pcnMuZ292ghRhcGkuYWx0Lnd3dzQuaXJzLmdvdoIUbGExLmFsdC53d3c0Lmly
cy5nb3aCFGxhMi5hbHQud3d3NC5pcnMuZ292ghNzYS5hbHQud3d3NC5pcnMuZ292
ghRzYTEuYWx0Lnd3dzQuaXJzLmdvdoIUc2EyLmFsdC53d3c0Lmlycy5nb3YwDgYD
VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjATBgNV
HSAEDDAKMAgGBmeBDAECAjCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHYA2ra/
az+1tiKfm8K7XGvocJFxbLtRhIU0vaQ9MEjX+6sAAAGLbZ1LGwAABAMARzBFAiEA
39KYGhNy2IketPPz4HmyVrRQ4iql0v84HOX7YlEpD2oCIAGmXm8fWekpJAPUWInX
rRn4x01mLzoqVyAzkk9LbklMAHYAPxdLT9ciR1iUHWUchL4NEu2QN38fhWrrwb8o
hez4ZG4AAAGLbZ1LPQAABAMARzBFAiEAzYU2hwymv7QTaxc6ZnsNu5IBYQgEDToB
/EzZxafdjVgCIDf6FZHzxPCg2A7zYRH1cSorq3Y8oOtlexDWZu98MtMkAHYA7s3Q
ZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZsAAAGLbZ1LQAAABAMARzBFAiEA
gQ8AHvFJdbHK97wc7HgQssU+VqhLBXF2sP3UYdR51RUCIDqNPmVHq9y9I86P78U8
XAIifyk7O/gJzRrgErb9cgKjMA0GCSqGSIb3DQEBCwUAA4IBAQCEHdb0IC89aN+Y
dI7hx0hoWEImryrSByqGd2xcLOCFeQ7eCc9ajA12eYJz9ZNSPdKBoPCZzwd7OroD
e6UTMPzaGN1cy/+eXyT4EjWB/gTFAXRgvwY5BZEpx3lSxeVwFcnLQGDlj7dJsiwg
fZTxIMu/iNopQ0KWA7sgwXq4+K2DjZYDcpyhbNterL1olgzUhapQBbDdkTs8N5+b
5MBhwLKH+5CdYjDwHx3jibdOydO1e8yzVjRHZl3r5NzRA+u7Li7fVbmXkDhhwUjM
kJa1Nyt6uwHnRYGt9YIE2G6+THQXrdE/fIKyzb2BNCoH8OlsaU/NRGi4O7s2OMNr
OuKRT+L5
-----END CERTIFICATE-----

@jamiebray I don’t believe that “they” have the published certificates being properly updated and timely.

3 Likes

When I visited, I was presented a certificate issued by GlobalSign GCC T3 DV TLS CA.

The score at SSLLabs is pretty horrifying. I know that I wouldn't want to use that site until it is properly secured.

3 Likes

Hi @jamiebray,

Supplemental:
Windows Server 2012/R2 reaches end of support

3 Likes

Which domain did you fill out in the questionnaire? Your domain or the domain you're having trouble with connecting to?

3 Likes

@jamiebray The email you got said you need to apply the certs from this page to your system. I am not sure what we should do with these instructions or why this is related to Let's Encrypt.

But, did you do what they asked with the SSL Certificates section on this page?

4 Likes

Did they NOT send instructions?
If not, then, yes, you are definitely dealing with a government agency! - LOL

5 Likes

we installed all 3 certs into i think the correct windows store (Not positive they are the correct stores) With no instructions from them it's a guessing game. Did just get a new email from them.

" The error message suggests that they probably installed the certificates under the wrong types, since la.www4.irs.gov is the server cert rather than an authority (both root and intermediate certs are certificate authorities, but server certs aren’t). The ISRG certificate should be installed under Root and the Let’s Encrypt one under intermediate."

My response email to them.

ServerCertificate.cer What Store does it get installed to? Current User --> FolderName or Local Computer --> FolderName
Root.cer What Store does it get installed to? Current User --> FolderName or Local Computer --> FolderName
Intermediate.cer What Store does it get installed to? Current User --> FolderName or Local Computer --> FolderName

Is that the domain you are trying to connect to? If so, which port? Just with https and default port 443?

If so, that uses a standard Let's Encrypt (RSA) cert and any properly running Windows system should validate connections to it properly.

Note you should not install any intermediate cert anywhere. You need to have the ISRG Root X1 in the CA store used by whatever client access software you use. Windows usually takes care of this.

What client program are you using to access that domain? I am not a Windows expert (and especially not a 2012 version). But, do you know where your client program is looking for root certs?

5 Likes