I had a Let’s Encrypt certificate installed on my IIS web site that just expired today. The Certify application completed the renewal process, but I have my own semi-automated deployment application, so the PFX file was just sitting there. I tried to install it with my deployment app (.NET), but it had some issues and I couldn’t apply the new certificate to the https binding.
I deleted the certificate from the WebHosting store through the certlm management console and then re-imported it manually from there using the PFX. This time I was able to apply the new certificate to the https binding without error in IIS, but when I try to visit the web site, I’m getting the following error codes:
Google Chrome/Microsoft Edge (Chromium): ERR_SSL_PROTOCOL_ERROR
Mozilla Firefox: SEC_ERROR_BAD_SIGNATURE
IE11: Can’t connect securely to this page (no error code)
I’m getting the same results on Windows 10, Windows 11 and Android OS on different networks. I ran an SSL test through SSL Labs and SSL Shopper and everything seems to indicate the certificate is valid.
I’ve fully rebooted the Windows Server 2018 server where IIS is running, but I’m still getting the error. I’ve deleted and re-imported the PFX file multiple times without change. I even deleted the https binding completely, restarted the site, then recreated the binding to see if that would help, but it didn’t.
I realize that IIS can be a little “finicky” when it comes to CSR’s and certificates that weren’t generated through their own process, but I was able to use the previous Let’s encrypt certificate without a problem. I also have another Let’s Encrypt certificate deployed for my network security appliance which seems to be working without a problem, so the issue is clearly either with the certificate PFX or within IIS. I’m just not sure which at this point. In the meantime, my site is effectively shut down until I can get this resolved.
I looked at another, similar issue here in the community: Certificate is valid however, sites using it receiving ERR_SSL_PROTOCOL_ERROR - Question - Certify The Web - Support Community. It mentioned that changing the RSA key to a 4096-bit key fixed their issue, but my key is already 4096-bit (as seen in the SSL Labs test). I’m probably just overlooking something, but I don’t have a clue what that might be.