问题
I just added the certificate in IIS 8 (Windows Server 2012) using letsencrypt-win-simple.V1.9.1 . There are no problems in Google Chrome but in Firefox the connection is not trusted.
I followed this tutorial : https://weblog.west-wind.com/posts/2016/feb/22/using-lets-encrypt-with-iis-on-windows#TheEasyWay:LetsEncrypt-Win-Simple .
回答1:
Upon cursory examination, it would appear that you have a valid SSL certificate installed and configured. However, more thorough analysis courtesy of the Qualsys SSL Labs tool exposes a few issues: https://www.ssllabs.com/ssltest/analyze.html?d=beta.gplay.ro&latest
First, directly relating to the certificate, your server does not supply a certificate chain to the client, only the domain certificate. This requires them to go and download the Lets Encrypt Authority X3
certificate themselves in order to reconstruct the chain back to the DST Root CA X3
. Any client that doesn't have that intermediate cert in their trust store and fails to successfully download a copy would fail the validation.
Second, your server has support for SSLv3 enabled, which is deprecated and regarded as a security risk, because it exposes the server to a plethora of vulnerabilities such as POODLE. You also have support for several very weak ciphers enabled, which doesn't help.
I would recommend configuring IIS to serve the full certificate chain instead of just the domain certificate, as well as disable support for SSLv3, if possible. If Firefox still doesn't like your certificate after that, more in-depth troubleshooting may be necessary.
回答2:
The answer above helped me a lot in finding a solution.
I installed the certificate using Certify: https://certify.webprofusion.com/ and it worked.
Regarding the outdated protocols ... Download IIS Crypto: https://www.nartac.com/Products/IISCrypto
Click on Best Practices (it will automatically select the recommended protocols and ciphers) and Apply. Then restart your server and everything is fixed .
来源:https://stackoverflow.com/questions/42611180/lets-encrypt-certificate-not-trusted-on-firefox