I just set up an EC2 server, running Windows/IIS and happily used certifytheweb to get a SSL certificate.
It works well, almost everywhere. Except for one PC which also just so happens to be in a classroom where I teach. (Sigh, that’s a very visible place for the error to crop up!)
On that one special machine I get “this certificate cannot be verified up to a trusted certification authority”
And - on that one machine - I do not see:
Ensures the identity of a remote computer
2.23.140.1.2.1
1.3.6.1.4.1.44947.1.1.1
I suspect that the problem is that this one problematic PC does not support IPv6, hence the problem verifying up to the CA.
Does that make sense? Is there any improvement I can make server-side (e.g. generate a new cert) that would support systems that were exclusively on IPv4?
Or… if you think I misdiagnosed the problem… let me know what you think the problem really is.
It sounds like something has gone wrong with an intermediate certificate (or the computer doesn’t trust the root). If you click on the padlock/certificate details in a browser it will usually tell you the ‘chain’: Your cert > an Intermediate cert > the Certificate Authority (root).
It will vary by browser and operating system as to how the client verifies the chain of a certificate when it sees it but normally your webserver will be serving your main cert and the intermediate, then the root cert (ISRG Root X1 or DST Root X3) will be on the computer itself (this is how it knows which certs to trust or not, because it has a copy of them). Check to see if this link works on the problem computer: https://valid-isrgrootx1.letsencrypt.org/
To diagnose more I’d need to see the chain (this is shown as Certificate Path in windows when you click on a certificate).
Note that it’s up to a combination of Windows Update and the browser/OS to update trusted roots. If you are using Chrome or Edge the OS manages the root certificates (under Manage Computer Certificates > Trusted root certification authorities), if you use Firefox these are stored in the browser certificate store.