Fix: "Could not create SSL/TLS secure channel." when attempting a certificate order with Let's Encrypt (or "CA ACME Directory is not accessible")

If you are suddenly seeing a problem requesting or renewing certificates from Let’s Encrypt be aware that they have recently changed their API from an RSA cert to use a ECDSA cert.

This changes the TLS Cipher Suites your system has to use to communicate with their API and for older systems or ones upgraded from previous older OS version (like upgrades from Server 2008 to 2012 or 2016 etc) you will have to enable the appropriate TLS Cipher Suites

The easiest way to do this is download IISCrypto by Nartac:

As a suggested resolution, apply the Best Practices option, ensure that on the Cipher Suites tab the following are included (the app may not select them automatically for older versions of Windows):
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Note: Changing the TLS Protocol and Cipher Suites can have compatibility impact for other systems. The suggested Best Practises mode will enable and disable various cipher suites and protocol levels. You can optionally just enable the above cipher suites manually.

Ensure that TLS 1.2 is enabled for both client and server (on the SChannel tab). Once applied, reboot the server.

More info can be found on the Let’s Encrypt community

Errors you may see if affected:

  • Could not create SSL/TLS secure channel
  • The CA ACME directory was not accessible

Further Information

The following PowerShell commands can also be used to diagnose the issue:

Get-TlsCipherSuite -Name TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

Get-TlsCipherSuite -Name TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

If these return no result then the cipher suites are not enabled (or if only one returns a result etc that one is enabled etc).

You can use PowerShell to enable cipher suites, but setting there order is out of scope of this article and the above linked Nartac software is recommended instead:

Enable-TlsCipherSuite -Name TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

Enable-TlsCipherSuite -Name TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

See more details: