Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Let's Encrypt certificate not trusted on Firefox

I just added the certificate in IIS 8 (Windows Server 2012) using letsencrypt-win-simple.V1.9.1 . There are no problems in Google Chrome but in Firefox the connection is not trusted.

I followed this tutorial : https://weblog.west-wind.com/posts/2016/feb/22/using-lets-encrypt-with-iis-on-windows#TheEasyWay:LetsEncrypt-Win-Simple .

enter image description here

like image 638
F Andrei Avatar asked Mar 10 '23 17:03

F Andrei


2 Answers

Upon cursory examination, it would appear that you have a valid SSL certificate installed and configured. However, more thorough analysis courtesy of the Qualsys SSL Labs tool exposes a few issues: https://www.ssllabs.com/ssltest/analyze.html?d=beta.gplay.ro&latest

First, directly relating to the certificate, your server does not supply a certificate chain to the client, only the domain certificate. This requires them to go and download the Lets Encrypt Authority X3 certificate themselves in order to reconstruct the chain back to the DST Root CA X3. Any client that doesn't have that intermediate cert in their trust store and fails to successfully download a copy would fail the validation.

Second, your server has support for SSLv3 enabled, which is deprecated and regarded as a security risk, because it exposes the server to a plethora of vulnerabilities such as POODLE. You also have support for several very weak ciphers enabled, which doesn't help.

I would recommend configuring IIS to serve the full certificate chain instead of just the domain certificate, as well as disable support for SSLv3, if possible. If Firefox still doesn't like your certificate after that, more in-depth troubleshooting may be necessary.

like image 117
AfroThundr Avatar answered Mar 16 '23 09:03

AfroThundr


The answer above helped me a lot in finding a solution.

I installed the certificate using Certify: https://certify.webprofusion.com/ and it worked.

Regarding the outdated protocols ... Download IIS Crypto: https://www.nartac.com/Products/IISCrypto

Click on Best Practices (it will automatically select the recommended protocols and ciphers) and Apply. Then restart your server and everything is fixed .

enter image description here

like image 38
F Andrei Avatar answered Mar 16 '23 09:03

F Andrei