Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
302 views
in Technique[技术] by (71.8m points)

email - Supply Let's Encrypt certificate chain to the client on IIS

To the people that close vote this post: it doesn't help if you don't comment why. We're all trying to learn here.

I want to have wildcard certificates for 2 domains of mine using Let's Encrypt. Here's what I did: enter image description here

In Chrome it all works. In Firefox I get the error below:

enter image description here So I tested here: https://www.ssllabs.com/ssltest/analyze.html?d=gamegorilla.net

I also checked this other post.

There's talk on making sure that "the server supplies a certificate chain to the client, only the domain certificate". I found validating the certificate chain here.

I then took these steps found here:

  1. Open the Certificates Microsoft Management Console (MMC) snap-in.
  2. On the File menu, click Add/Remove Snap-in.
  3. In the Add or Remove Snap-ins dialog box, click the Certificates snap-in in the Available snap-ins list, click Add, and then click OK.
  4. In the Certificates snap-in dialog box, click Computer account, and then click Next.
  5. In the Select computer dialog box, click Finish.

I already see "Let's Encrypt Authority X3" in the Intermediate Certification Authorities. So that should already be handling things correctly I'd presume.

How can I ensure the Let's Encrypt certificate chain is supplied to the client so it works in Firefox too?

UPDATE 1

Based on @rfkortekaas' suggestion I used "all binding identifiers" instead of supplying the search pattern. When Win-acme asked Please pick the main host, which will be presented as the subject of the certificate, I selected gamegorilla.net. After this gamegorilla.net now works in Firefox, however, on www.karo-elektrogroothandel.nl I now get an insecure certificate.

UPDATE 2

Alright, that seems to fix it. I do see that bindings for smtp/mail (e.g. smtp.gamegorilla.net) are now also added to IIS automatically: enter image description here Should I leave those or delete those mail+smtp records here?

Also, the certificate is now [Manual], does that mean I need to renew manually (which woud be weird since nowhere during the certificate creation steps did I see an option for auto-renewal): enter image description here

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

The issue is that you only generate the certificate for www.gamegorilla.net and not gamegorilla.net if you select all binding identifiers instead of supplying the search pattern I think it should work.

To also get certificates for other names that are not hosted by IIS you cannot use the import from IIS function. You need to supply them all, starting with the common name.

After starting wacs select M for a new request and select option 2 for manual input. After that enter the comma separated list with the common name first: gamegorilla.net,www.gamegorilla.net,smtp.gamegorilla.net,karo-elektrogroothandel.nl,www.karo-elektrogroothandel.nl,smtpkaro-elektrogroothandel.nl (without any spaces). Or when you want to generate a wildcard certificate you can use: gamegorilla.net,*.gamegorilla.net,karo-elektrogroothandel.nl,*.karo-elektrogroothandel.nl.

Please be aware that for generating wildcard certificates you need to be able to use the DNS-01 challenge. The HTTP-01 challange doesn't support wildcard certificates.

For the certificate renewal you should run wacs --renew from time to time (for example via a schedules task).


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...