Supply Let's Encrypt certificate chain to the client on IIS

Question

To the people that close vote this post: it doesn't help if you don't comment why. We're all trying to learn here.

I want to have wildcard certificates for 2 domains of mine using Let's Encrypt. Here's what I did:

In Chrome it all works. In Firefox I get the error below:

So I tested here: https://www.ssllabs.com/ssltest/analyze.html?d=gamegorilla.net

I also checked this other post.

There's talk on making sure that "the server supplies a certificate chain to the client, only the domain certificate". I found validating the certificate chain here.

I then took these steps found here:

1. Open the Certificates Microsoft Management Console (MMC) snap-in.
2. On the File menu, click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, click the Certificates snap-in in the Available snap-ins list, click Add, and then click OK.
4. In the Certificates snap-in dialog box, click Computer account, and then click Next.
5. In the Select computer dialog box, click Finish.

I already see "Let's Encrypt Authority X3" in the Intermediate Certification Authorities. So that should already be handling things correctly I'd presume.

How can I ensure the Let's Encrypt certificate chain is supplied to the client so it works in Firefox too?

UPDATE 1

Based on @rfkortekaas' suggestion I used "all binding identifiers" instead of supplying the search pattern. When Win-acme asked Please pick the main host, which will be presented as the subject of the certificate, I selected gamegorilla.net. After this gamegorilla.net now works in Firefox, however, on www.karo-elektrogroothandel.nl I now get an insecure certificate.

UPDATE 2

Alright, that seems to fix it. I do see that bindings for smtp/mail (e.g. smtp.gamegorilla.net) are now also added to IIS automatically: Should I leave those or delete those mail+smtp records here?

Also, the certificate is now [Manual], does that mean I need to renew manually (which woud be weird since nowhere during the certificate creation steps did I see an option for auto-renewal):

Answer 1

The issue is that you only generate the certificate for www.gamegorilla.net and not gamegorilla.net if you select all binding identifiers instead of supplying the search pattern I think it should work.

To also get certificates for other names that are not hosted by IIS you cannot use the import from IIS function. You need to supply them all, starting with the common name.

After starting wacs select M for a new request and select option 2 for manual input. After that enter the comma separated list with the common name first: gamegorilla.net,www.gamegorilla.net,smtp.gamegorilla.net,karo-elektrogroothandel.nl,www.karo-elektrogroothandel.nl,smtpkaro-elektrogroothandel.nl (without any spaces). Or when you want to generate a wildcard certificate you can use: gamegorilla.net,*.gamegorilla.net,karo-elektrogroothandel.nl,*.karo-elektrogroothandel.nl.

Please be aware that for generating wildcard certificates you need to be able to use the DNS-01 challenge. The HTTP-01 challange doesn't support wildcard certificates.

For the certificate renewal you should run wacs --renew from time to time (for example via a schedules task).