Windows 10 machines can't connect to 802.1x wireless network authenticating against server using letsencrypt certificate

We have an 802.1x wireless network which authenticated against a Packetfence server which has a letsencrypt certificate for server validation (domain: packetfence-zen.dps.k12.oh.us). Recently, after renewing the certificate, Windows 10 machines are no longer able to connect to this network. It's as if they aren't trusting the certificate any more. This only seems to be happening if the Windows 10 machine is joined to an Active Directory domain. If the machine is removed from the domain, it trusts the certificate again and can connect. How can we fix this?

Hi @spfister, welcome to the LE community forum :slight_smile:

That sounds like the domain (GPO) doesn't like using external certs.
Has this ever worked with a cert from any other CA?

Is ISRG Root X1 in the Window 10 machine trust store?

certlm.msc > Certificates > Local Machine > Trustsed Root Certification Authorities > Certificates.

It generally will be, unless group policy etc is failing to allow the client root certificates to update as part of windows update. I assume there was no special private key pinning enabled (and if so the private key has not changed).

1 Like

Thank you for the replies... I am hoping to get permission to purchase a cert from another CA to test.

I looked at the certificates, and I'm not seeing ISRG Root X1. Is there a way to install it?

1 Like

By the way... we have a couple of wildcard certs. I don't think Packetfence supported that when we first installed it. Has that changed?

A normally functioning system that is getting trust store updates from the Internet shouldn't need to explicitly install it. But yes, you can download it from here and install it wherever.

2 Likes

Might you be running into the issue that Microsoft does "lazy loading" of its roots??

If you go in Microsoft Edge to https://valid-isrgrootx1.letsencrypt.org/, you might find that suddenly ISRG Root X1 has appeared in your root store and things start working better.

2 Likes

Here is a direct link to ISRG Root X1:
https://crt.sh/?d=96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
[you only need to view it - don't install it anywhere]

Here is a direct link to ISRG Root X2:
https://crt.sh/?d=69729B8E15A86EFC177A57AFB7171DFC64ADD28C2FCA8CF1507E34453CCB1470
[you only need to view it - don't install it anywhere]

I had a question from a user yesterday where their windows server couldn't talk to our API (which has an ISRG Root X1 root), they did indeed need to install the ISRG Root X1 (self signed) into their machines "Trusted Root Certification Authorities" store (using certlm.msc, importing the .der file, choose All Files to browse to the der file for the cert downloaded from Chain of Trust - Let's Encrypt as @rmbolger mentioned).

While this should be all automatic, in this case the user browsing to the website didn't automatically populate their trust store with the required root, so I assume they had managed to disable that behavior somehow (there is a group policy setting etc.) and also had disabled the auto update via windows update (or had blocked it).

1 Like