提供让我们将证书链加密到IIS上的客户端 [英] Supply Let's Encrypt certificate chain to the client on IIS
问题描述
对那些对此事表示投票的人表示欢迎:如果您不评论原因,这无济于事。我们都想在这里学习。
我想使用Let's Encrypt获得我的2个域的通配符证书。这就是我所做的:
在Chrome浏览器中,所有功能均可用。在Firefox中,出现以下错误:
所以我在这里进行了测试:
我应该留下那些东西还是
此外,证书现在为[Manual],这是否意味着我需要手动续订(这很奇怪,因为在证书创建步骤中是否看到自动更新选项):
问题是您只为 www.gamegorilla.net 生成证书,而不为 gamegorilla.net 如果您选择所有绑定标识符而不是提供搜索模式,则我认为它应该起作用。
T o还可以获得不由IIS托管的其他名称的证书,您不能使用IIS导入功能。
启动 wacs 后,选择 M 表示新请求,然后选择选项 2 进行手动输入。之后,请首先输入以通用名称分隔的逗号分隔列表: gamegorilla.net,www.gamegorilla.net,smtp.gamegorilla.net,karo-elektrogroothandel.nl,www.karo-elektrogroothandel.nl,smtpkaro -elektrogroothandel.nl (无空格)。或者,当您想生成通配符证书时,可以使用: gamegorilla.net,*。gamegorilla.net,karo-elektrogroothandel.nl,*。karo-elektrogroothandel.nl 。
请注意,要生成通配符证书,您需要能够使用 DNS-01 质询。 HTTP-01 挑战不支持通配符证书。
对于证书续订,您应运行 wacs --renew 不时(例如通过计划任务)。
To the people that close vote this post: it doesn't help if you don't comment why. We're all trying to learn here.
I want to have wildcard certificates for 2 domains of mine using Let's Encrypt. Here's what I did:
In Chrome it all works. In Firefox I get the error below:
So I tested here: https://www.ssllabs.com/ssltest/analyze.html?d=gamegorilla.net
I also checked this other post.
There's talk on making sure that "the server supplies a certificate chain to the client, only the domain certificate". I found validating the certificate chain here.
I then took these steps found here:
- Open the Certificates Microsoft Management Console (MMC) snap-in.
- On the File menu, click Add/Remove Snap-in.
- In the Add or Remove Snap-ins dialog box, click the Certificates snap-in in the Available snap-ins list, click Add, and then click OK.
- In the Certificates snap-in dialog box, click Computer account, and then click Next.
- In the Select computer dialog box, click Finish.
I already see "Let's Encrypt Authority X3" in the Intermediate Certification Authorities. So that should already be handling things correctly I'd presume.
How can I ensure the Let's Encrypt certificate chain is supplied to the client so it works in Firefox too?
UPDATE 1
Based on @rfkortekaas' suggestion I used "all binding identifiers" instead of supplying the search pattern. When Win-acme asked Please pick the main host, which will be presented as the subject of the certificate, I selected gamegorilla.net. After this gamegorilla.net now works in Firefox, however, on www.karo-elektrogroothandel.nl I now get an insecure certificate.
UPDATE 2
Alright, that seems to fix it. I do see that bindings for smtp/mail (e.g. smtp.gamegorilla.net) are now also added to IIS automatically: Should I leave those or delete those mail+smtp records here?
Also, the certificate is now [Manual], does that mean I need to renew manually (which woud be weird since nowhere during the certificate creation steps did I see an option for auto-renewal):
The issue is that you only generate the certificate for www.gamegorilla.net and not gamegorilla.net if you select all binding identifiers instead of supplying the search pattern I think it should work.
To also get certificates for other names that are not hosted by IIS you cannot use the import from IIS function. You need to supply them all, starting with the common name.
After starting wacs select M for a new request and select option 2 for manual input. After that enter the comma separated list with the common name first: gamegorilla.net,www.gamegorilla.net,smtp.gamegorilla.net,karo-elektrogroothandel.nl,www.karo-elektrogroothandel.nl,smtpkaro-elektrogroothandel.nl (without any spaces). Or when you want to generate a wildcard certificate you can use: gamegorilla.net,*.gamegorilla.net,karo-elektrogroothandel.nl,*.karo-elektrogroothandel.nl.
Please be aware that for generating wildcard certificates you need to be able to use the DNS-01 challenge. The HTTP-01 challange doesn't support wildcard certificates.
For the certificate renewal you should run wacs --renew from time to time (for example via a schedules task).
这篇关于提供让我们将证书链加密到IIS上的客户端的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
