starred/win-acme-win-acme
1
0
Fork 0
mirror of https://github.com/win-acme/win-acme.git synced 2026-04-27 03:55:56 +03:00
Code Issues Projects Packages Wiki Activity
Page: Missing Certificate Chain
Pages
A specified logon session does not exist Advanced logging Advanced usage Apache 2.4 basic usage Application Logging Application Settings Azure DNS validation Basic usage CSR Plugins Command Line Arguments Command line Create a SAN certificate Custom plugins DNS validation plugins Development Enhancement voting Example Scripts HTTP Validation Plugins HTTPS Binding With Specific IP Home How To Run How to Compile From Source Code IIS 7.5 and Lower Install script Installation plugins Issues and workarounds Load balancing Microsoft Exchange Microsoft Remote Desktop Server Migration to v1.9.5 Migration to v1.9.9 Migration to v2.0.0 Missing Certificate Chain Plugins Renewal Management Store plugins Target plugins Task Scheduler Uninstall instructions Upgrades Validation issues Validation plugins web_config.xml
4 Missing Certificate Chain
John Lafitte edited this page 2017-04-25 15:22:06 -05:00
Table of Contents

Overview

Let's Encrypt recently switched to start using a new intermediate certificates Let's Encrypt Authority X3 and Let's Encrypt Authority X4, these have replaced Let's Encrypt Authority X1 and Let's Encrypt Authority X2. Since they used the same keys with the new certificates, that enable support for XP, that can cause IIS to send the incorrect certificate in the chain.

Steps to Resolve

You need to remove the X1 and X2 (nobody should have the X2 cert anywhere but referencing it just to be sure) intermediate certificates from the certificate store.

Make sure you remove it as:

  1. Local Computer
  2. any user that ran Let's Encrypt
  3. the Local System (see Run MMC as Local System below)

For Local Computer:

Added a Certificates console to the Microsoft Management Console (MMC) following these instructions. Then navigate within that console to "Console Root > Certificates (Local Computer) > Intermediate Certification Authorities > Certificates" (shown below).

You can see in the screenshot that "Let's Encrypt Authority X1" was present there. So remove it.

Again, make sure you remove the X1 intermediate certificate from all certificate stores: the Local Computer, any user that ran Let's Encrypt, and as the Local System.

Run MMC as Local System

You need to download PsTools from SysInternals and run psexec -i -s mmc.exe, go to File -> Add-Remove Snap-in, choose Certificates and My user account.

Refresh the certificate chain in IIS

After the intermediate certificates have been removed, right click the web site in IIS Manager and choose Edit Bindings.... Then, select the https Type that the certificate is currently assigned to and click the Edit... button. Select some other SSL Certificate then re-select the desired certificate and click OK.

NOTES

  • Since browsers may cache intermediates themselves, the most reliable test for the fix is an openssl command or using SSL Server Test, which among other things will say "This server's certificate chain is incomplete. Grade capped to B." and "Extra download" as in this screenshot:
  • Removing the X1 intermediate certificate means that any other certificates on the server that depend on it will need to be renewed to switch to the X3 intermediate certificate, even if they have not reached their expiration. Only one or the other of the X1 and X3 intermediate certificates can be used on a Windows Server at the same time.

Remove directly from Registry

An alternative approach is to run the following to delete the X1 intermediate certificate from the Local System and Local Computer accounts:

reg delete HKU\S-1-5-18\Software\Microsoft\SystemCertificates\CA\Certificates\3EAE91937EC85D74483FF4B77B07B43E2AF36BF4 /f
reg delete HKLM\Software\Microsoft\SystemCertificates\CA\Certificates\3EAE91937EC85D74483FF4B77B07B43E2AF36BF4 /f

References

https://community.letsencrypt.org/t/iis-8-5-building-incorrect-chain-with-lets-encrypt-authority-x3/13320/

https://github.com/Lone-Coder/letsencrypt-win-simple/issues/177

Please refer to https://pkisharp.github.io/win-acme/ for up-to-date documentation.