Zertifikat, erzeugt mit Win-Acme wird nicht aktiv

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:wbw-worms.de

I ran this command:wacs.exe /Administrator

It produced this output:Certificate [IIS] WBW, (any host) created

My web server is (include version):MS IIS 2019

The operating system my web server runs on is (include version):Windows Server 2019

My hosting provider, if applicable, is:Strato

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):wacs 2.1.20.1185

Ich erzeuge mit Win-Acme ein Zertifiket für die Seite "wbw-worms.de" (auch wbw-worms.eu). Starte wacs.exe als Administrator und lasse die Zertifikate erstellen. Vorgang läuft ohne Probleme ab. Die Zertifikate sind im IIS zu sehen und an den Seiten normal unter "Bindungen" angebunden. Dennoch, im Client Browser werden die Seiten als "nicht sicher" angezeigt.

Your server is sending a valid cert. See this cert test site

What kind of client is having a problem? Some older clients may not have ISRG Root X1 in their CA Certificate Root store.

Or, if a modern browser / client sometimes you just need to restart them to see a new cert

1 Like

Kein Browser bei mir zeigt die Seite als Sicher.

  • Chrome 101.xx
  • Firefox 99.0.1
  • MS Edge 101.xx
    Hast du ein Browser in dem die Seite als sicher angezeigt wird?
    Ich habe das gleiche Problem auch mit vettesvolk.de.
    Leider kann ich kein Screenshot schicken?!

Oh, your site is not redirecting HTTP requests to HTTPS

If you use https://wbw-worms.de you will not see that message

You should setup your server to redirect HTTP

I don't know how you do that with IIS but there are many places for advice about that. Maybe try this page

UPDATE: You also want to use only https:// URLs in your web pages. You have at least this one below that is not. The good news is your Let's Encrypt certs look correct.

http://wbw-worms.eu/media/18/content/rheinbruecke4_HW_150.png
1 Like

Leider auch mit https://wbw-worms.de/ sehe ich die message!
Hast du bei dir probiert? - es schaltet zurück auf http!

Yes, for some reason your server is redirecting HTTPS requests to HTTP. Accessing the domain with tools like openssl and various test sites all show the cert is fine. Examples

SSL Labs

Namecheap SSL Decoder

For other volunteers, note that CURL HEAD requests are NOT redirected (only GET).

You need to review your server config to see why this is. You should be redirecting HTTP to HTTPS which is just the opposite of what you do.

UPDATE: @Wlady And, the redirect to HTTP is done with a 301 Permanent redirect so you may need to clear caches once you get that fixed.

curl -i https://wbw-worms.de

HTTP/2 301
cache-control: private
content-type: text/html; charset=utf-8
location: http://wbw-worms.de/
server: Microsoft-IIS/10.0
x-aspnetmvc-version: 5.2
x-aspnet-version: 4.0.30319
set-cookie: SMARTSTORE.VISITOR=406678f3-bed3-4578-9cdc-eccc639d2a68; expires=Fri, 12-May-2023 15:04:52 GMT; path=/; secure; HttpOnly; SameSite=Lax
x-powered-by: ASP.NET
date: Thu, 12 May 2022 15:04:52 GMT
content-length: 137

2 Likes

Ich bin sicher, dass keine Umleitung durch mein Windows Server stattfindet. Die einzige Möglichkeit ist, dass der Hoster (Strato) dieses tut. Ich habe eine Anfrage an Strato geschickt. Noch keine Antwort.

It looks like your IIS/10 server is doing it. Compare the two requests below. The first uses a HEAD request and the second a GET. (due to the upper and lower case letter i). The response headers are the same so the redirect most likely comes from the same source. The response headers from requests using HTTP:// are also the same as shown below (except are never redirected). The IIS server looks like the only one responding to all requests.

curl -I https://wbw-worms.de

HTTP/2 200
cache-control: private
content-length: 194871
content-type: text/html; charset=utf-8
server: Microsoft-IIS/10.0
x-aspnetmvc-version: 5.2
x-aspnet-version: 4.0.30319
set-cookie: SMARTSTORE.VISITOR=76d0d6af-2463-482d-9135-b01c3a1fc519; expires=Tue, 16-May-2023 14:08:45 GMT; path=/; secure; HttpOnly; SameSite=Lax
x-powered-by: ASP.NET
date: Mon, 16 May 2022 14:08:45 GMT

curl -i https://wbw-worms.de
HTTP/2 301
cache-control: private
content-type: text/html; charset=utf-8
location: http://wbw-worms.de/
server: Microsoft-IIS/10.0
x-aspnetmvc-version: 5.2
x-aspnet-version: 4.0.30319
set-cookie: SMARTSTORE.VISITOR=76d0d6af-2463-482d-9135-b01c3a1fc519; expires=Tue, 16-May-2023 14:08:55 GMT; path=/; secure; HttpOnly; SameSite=Lax
x-powered-by: ASP.NET
date: Mon, 16 May 2022 14:08:55 GMT
content-length: 137
2 Likes

Zwischen meinen Server und das WEB ist die Logik des Providers (Strato). Dort, in den Einstellungen, kann ich angeben, ob und welchen SSL Zertifikat ich verwende. Würde es nicht genau so aussehen, wenn diese Logik, in Abhängigkeit von den Angaben für SSL Zertifikat, eine Umleitung HTTPS --> HTTP ausführt? Der ultimative Test dafür wäre, wenn ich dort ein Zertifikat angebe und diese Umleitung weg ist.

I do not know Strato well enough to say how that config panel would interact with the IIS server. Those questions are better asked to Strato or forums for IIS configuration.

Your Let's Encrypt cert is good. Your system is configured so that it redirects wrong. I have explained as much as I know to help you find that.

2 Likes

Vielen Dank für die Hilfe, ich werde genau so vorgehen!

1 Like