Let's Encrypt certificate not trusted on Firefox

F Andrei picture F Andrei · Mar 5, 2017 · Viewed 9.6k times · Source

I just added the certificate in IIS 8 (Windows Server 2012) using letsencrypt-win-simple.V1.9.1 . There are no problems in Google Chrome but in Firefox the connection is not trusted.

I followed this tutorial : https://weblog.west-wind.com/posts/2016/feb/22/using-lets-encrypt-with-iis-on-windows#TheEasyWay:LetsEncrypt-Win-Simple .

enter image description here

Answer

AfroThundr picture AfroThundr · Mar 7, 2017

Upon cursory examination, it would appear that you have a valid SSL certificate installed and configured. However, more thorough analysis courtesy of the Qualsys SSL Labs tool exposes a few issues: https://www.ssllabs.com/ssltest/analyze.html?d=beta.gplay.ro&latest

First, directly relating to the certificate, your server does not supply a certificate chain to the client, only the domain certificate. This requires them to go and download the Lets Encrypt Authority X3 certificate themselves in order to reconstruct the chain back to the DST Root CA X3. Any client that doesn't have that intermediate cert in their trust store and fails to successfully download a copy would fail the validation.

Second, your server has support for SSLv3 enabled, which is deprecated and regarded as a security risk, because it exposes the server to a plethora of vulnerabilities such as POODLE. You also have support for several very weak ciphers enabled, which doesn't help.

I would recommend configuring IIS to serve the full certificate chain instead of just the domain certificate, as well as disable support for SSLv3, if possible. If Firefox still doesn't like your certificate after that, more in-depth troubleshooting may be necessary.