If you are suddenly seeing a problem requesting or renewing certificates from Let’s Encrypt be aware that they have recently changed their API from an RSA cert to use a ECDSA cert.
This changes the TLS Cipher Suites your system has to use to communicate with their API and for older systems or ones upgraded from previous older OS version (like upgrades from Server 2008 to 2012 or 2016 etc) you will have to enable the appropriate TLS Cipher Suites
The easiest way to do this is download IISCrypto by Nartac:
As a suggested resolution, apply the Best Practices option, ensure that on the Cipher Suites tab the following are included (the app may not select them automatically for older versions of Windows):
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Note: Changing the TLS Protocol and Cipher Suites can have compatibility impact for other systems. The suggested Best Practises mode will enable and disable various cipher suites and protocol levels. You can optionally just enable the above cipher suites manually.
Ensure that TLS 1.2 is enabled for both client and server (on the SChannel tab). Once applied, reboot the server.
More info can be found on the Let’s Encrypt community
Errors you may see if affected:
Could not create SSL/TLS secure channelThe CA ACME directory was not accessible
Further Information
The following PowerShell commands can also be used to diagnose the issue:
Get-TlsCipherSuite -Name TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Get-TlsCipherSuite -Name TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
If these return no result then the cipher suites are not enabled (or if only one returns a result etc that one is enabled etc).
You can use PowerShell to enable cipher suites, but setting there order is out of scope of this article and the above linked Nartac software is recommended instead:
Enable-TlsCipherSuite -Name TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Enable-TlsCipherSuite -Name TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
See more details: