How to fix issues with LetsEncrypt certificate chains on Windows Server?
I've been using LetsEncrypt to generate certificates for my sites on Windows 2012 R2 server. It worked great, until recently when I renewed the certificates.
LetsEncrypt made a recent change where they swapped the intermediate certificate with name "Let's Encrypt Authority X1" for one with name "Let's Encrypt Authority X3". The issue is, the authority key for the updated certificate remained the same.
https://community.letsencrypt.org/t/upcoming-intermediate-changes/
So, when I renewed by server certificates, they now were issues by "X3" authority, however since the key was the same, Windows cert store seems to build the certificate chain with the first result it finds (alphabetically?) which turns out to be the old "X1" cert.
This is where the problem arises. For some clients/browsers (like Chrome), this is fine, they only look at the key for the intermediate certificate. However, other clients are more strict and also check the name, and then fail (X1 instead of X3).
My first step to fixing this was to remove the X1 intermediate certificate, and make sure all my server certificates were updated to be issued by X3. Now things look correct, at least in the certificate store in Windows (the chain correctly shows Root Authority -> X3 -> server cert).
The problem I'm stuck on now, and can't seem to figure out, is why clients continue to display the wrong certificate chain (X1). That intermediate certificate doesn't even exist on my server anymore that I can see.
I've tried the usual rebooting server, and also stumbled upon this similar post, tried the steps there a few times without any luck -
https://serverfault.com/a/706278/182874
Any clue what I could be missing? There seems to be some problem with IIS caching certificate chains, since I've tried connecting on multiple clients/machines and all have the same problem. Just have no clue how to clear this "cert chain cache", or if it even exists.
I've just gone through this issue on my server. This was on 2008R2.
- Ensure all certs are using the new intermediate certificate as we're going to remove the old one
- Remove X1 intermediate cert from the local computer and all local user accounts
- Remove the secure binding in IIS for each certificate
- Re-add each of the secure bindings in IIS
There maybe some additional issues for 2012R2, there's a solution posted at https://community.letsencrypt.org/t/iis-8-5-building-incorrect-chain-with-lets-encrypt-authority-x3/13320/84 that quite a few people are reporting to work