Closed payoffice closed 3 years ago
criwayc
commented
3 years ago Whelp, if that is the case, then would't that mean that LetsEncypt itself is still using (for https://acme-v02.api.letsencrypt.org) a certificates that was signed by the now expired intermediate.
I don't know if I wanna cry or laugh right now...as this is the exact reason why a lot of people need to re-issue their certs right now. (cause some clients no longer trust em - i.e iOS devices)
do-know
commented
3 years ago Will have a look today.
Rem-V
commented
3 years ago Same issue on my win 2012 servers (v.0.37) : Curl and chrome can successfully access https://acme-v02.api.letsencrypt.org/directory without SSL/TLS errors, but here is le64.exe log when renewing cert :
2021/09/30 12:52:58 Connecting to https://acme-v02.api.letsencrypt.org/directory 2021/09/30 12:52:59 SSL connection failed for acme-v02.api.letsencrypt.org: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 2021/09/30 12:52:59 [ RESOURCE_DIRECTORY_LOAD ] Could not load the resource directory: SSL connection failed for acme-v02.api.letsencrypt.org: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
May be related to certificate chain validation (root/intermediate certs bundled up to date ?) ?
do-know
commented
3 years ago New version is going to be up shortly and should resolve this.
do-know
commented
3 years ago New release based on 0.38 code is up.
https://github.com/do-know/Crypt-LE/releases/tag/0.38
NB: It would be good to have the confirmation whether that solved the problem for you (as it certainly works for me).
sbsrouteur
commented
3 years ago Works for me. Many thanks.
Note : Only tested LE64.exe
criwayc
commented
3 years ago For the people who just need a quick fix to get their existing certificates on Windows/IIS working again - Simply reboot the system.
It seems like till recently Windows/IIS sent the old R3 intermediate cert to the clients, but this one got removed from the Windows truststore now (hidden Windows update?) and thus the IIS webserver does use/send the new one.
addendum: restart of IIS does not help here, as the Schannel service is handling all the SSL/TLS connections and you would need to restart this one. (but can't be done, due to dependencies)
payoffice
commented
3 years ago Great thank you @do-know !
LE64.exe is now working perfectly with new release https://github.com/do-know/Crypt-LE/releases/tag/0.38
Rem-V
commented
3 years ago For the people who just need a quick fix to get their existing certificates on Windows/IIS working again - Simply reboot the system.
It seems like till recently Windows/IIS sent the old R3 intermediate cert to the clients, but this one got removed from the Windows truststore now (hidden Windows update?) and thus the IIS webserver does use/send the new one.
addendum: restart of IIS does not help here, as the Schannel service is handling all the SSL/TLS connections and you would need to restart this one. (but can't be done, due to dependencies)
For those who doesn't want to reboot ,this command may help (it did for me. See https://community.letsencrypt.org/t/dst-root-ca-x3-expiry-countdown/158964/50 ) : appcmd.exe renew binding /oldcert:THUMBPRINT /newcert:THUMBPRINT
Rem-V
commented
3 years ago Certificate renewal OK with new release https://github.com/do-know/Crypt-LE/releases/tag/0.38 !
Thanks !
Hello,
The creations and renewals of certificates are failing since yesterday (Sept 29, 2021) when using Windows le64.exe latest release (v.0.37)
The error is the following: Could not load the resource directory: SSL connection failed for acme-v02.api.letsencrypt.org: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
We think it might be due to the DST Root CA X3 expiration (https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/)
Would you please check this issue ?
Thank you.