Server 2022 Preview missing Let's Encrypt Root certificate

%3CLINGO-SUB%20id%3D%22lingo-sub-2617629%22%20slang%3D%22en-US%22%3EServer%202022%20Preview%20missing%20Let's%20Encrypt%20Root%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2617629%22%20slang%3D%22en-US%22%3E%3CP%3EFirst%20posted%20to%20LetsEncrypt.org%20and%20was%20advised%20to%20post%20this%20issue%20here.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcommunity.letsencrypt.org%2Ft%2Ffyi-windows-server-2022-does-not-have-root-certificate%2F157208%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fcommunity.letsencrypt.org%2Ft%2Ffyi-windows-server-2022-does-not-have-root-certificate%2F157208%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAt%20the%20time%20I'm%20writing%20this%2C%20Microsoft%20Windows%20Server%202022%20has%20not%20been%20released%20and%20is%20only%20available%20in%20%22Preview%22.%20Having%20said%20that%20I've%20installed%20the%20%22Preview%22%2C%20installed%20all%20patches%2C%20and%20experienced%20the%20following%20errors%20when%20connecting%20to%20resources%20that%20use%20LE%20certificate.%20This%20happened%20when%20using%20Edge%20and%20Chrome.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3EYour%20connection%20isn't%20private%0AAttackers%20might%20be%20trying%20to%20steal%20your%20information%20from%20website.domain.com%20(for%20example%2C%20passwords%2C%20messages%2C%20or%20credit%20cards).%0A%0ANET%3A%3AERR_CERT_AUTHORITY_INVALID%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirefox%20worked%20fine%20since%20it%20uses%20its%20own%20certificate%20store.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20adding%20the%20root%20certificate%20to%20the%20root%20store%2C%20all%20was%20fine.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20following%20output%20shows%20the%20certs%20currently%20in%20the%20root%20store%20by%20default%20as%20well%20as%20the%20PowerShell%20%26amp%3B%20OS%20version%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3EPS%20C%3A%5C%26gt%3B%20gci%20Cert%3A%5CLocalMachine%5CRoot%0A%0A%20%20%20PSParentPath%3A%20Microsoft.PowerShell.Security%5CCertificate%3A%3ALocalMachine%5CRoot%0A%0AThumbprint%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Subject%0A----------%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20-------%0ACDD4EEAE6000AC7F40C3802C171E30148030C072%20%20CN%3DMicrosoft%20Root%20Certificate%20Authority%2C%20DC%3Dmicrosoft%2C%20DC%3Dcom%0ABE36A4562FB2EE05DBB3D32323ADF445084ED656%20%20CN%3DThawte%20Timestamping%20CA%2C%20OU%3DThawte%20Certification%2C%20O%3DThawte%2C%20L%3DDurbanville%2C%20S%3DWestern%20Cape%2C%20C%3DZA%0AA43489159A520F0D93D032CCAF37E7FE20A8B419%20%20CN%3DMicrosoft%20Root%20Authority%2C%20OU%3DMicrosoft%20Corporation%2C%20OU%3DCopyright%20(c)%201997%20Microsoft%20Corp.%0A92B46C76E13054E104F230517E6E504D43AB10B5%20%20CN%3DSymantec%20Enterprise%20Mobile%20Root%20for%20Microsoft%2C%20O%3DSymantec%20Corporation%2C%20C%3DUS%0A8F43288AD272F3103B6FB1428485EA3014C0BCFE%20%20CN%3DMicrosoft%20Root%20Certificate%20Authority%202011%2C%20O%3DMicrosoft%20Corporation%2C%20L%3DRedmond%2C%20S%3DWashington%2C%20C%3DUS%0A7F88CD7223F3C813818C994614A89C99FA3B5247%20%20CN%3DMicrosoft%20Authenticode(tm)%20Root%20Authority%2C%20O%3DMSFT%2C%20C%3DUS%0A3B1EFD3A66EA28B16697394703A72CA340A05BD5%20%20CN%3DMicrosoft%20Root%20Certificate%20Authority%202010%2C%20O%3DMicrosoft%20Corporation%2C%20L%3DRedmond%2C%20S%3DWashington%2C%20C%3DUS%0A31F9FC8BA3805986B721EA7295C65B3A44534274%20%20CN%3DMicrosoft%20ECC%20TS%20Root%20Certificate%20Authority%202018%2C%20O%3DMicrosoft%20Corporation%2C%20L%3DRedmond%2C%20S%3DWashington%2C%20C%3DUS%0A245C97DF7514E7CF2DF8BE72AE957B9E04741E85%20%20OU%3DCopyright%20(c)%201997%20Microsoft%20Corp.%2C%20OU%3DMicrosoft%20Time%20Stamping%20Service%20Root%2C%20OU%3DMicrosoft%20Corporation%2C%20O%3DMicrosoft%20Trust%20Network%0A18F7C1FCC3090203FD5BAA2F861A754976C8DD25%20%20OU%3D%22NO%20LIABILITY%20ACCEPTED%2C%20(c)97%20VeriSign%2C%20Inc.%22%2C%20OU%3DVeriSign%20Time%20Stamping%20Service%20Root%2C%20OU%3D%22VeriSign%2C%20Inc.%22%2C%20O%3DVeriSign%20Trust%20Network%0A06F1AA330B927B753A40E68CDF22E34BCBEF3352%20%20CN%3DMicrosoft%20ECC%20Product%20Root%20Certificate%20Authority%202018%2C%20O%3DMicrosoft%20Corporation%2C%20L%3DRedmond%2C%20S%3DWashington%2C%20C%3DUS%0A0119E81BE9A14CD8E22F40AC118C687ECBA3F4D8%20%20CN%3DMicrosoft%20Time%20Stamp%20Root%20Certificate%20Authority%202014%2C%20O%3DMicrosoft%20Corporation%2C%20L%3DRedmond%2C%20S%3DWashington%2C%20C%3DUS%0ADF3C24F9BFD666761B268073FE06D1CC8D4F82A4%20%20CN%3DDigiCert%20Global%20Root%20G2%2C%20OU%3Dwww.digicert.com%2C%20O%3DDigiCert%20Inc%2C%20C%3DUS%0AD4DE20D05E66FC53FE1A50882C78DB2852CAE474%20%20CN%3DBaltimore%20CyberTrust%20Root%2C%20OU%3DCyberTrust%2C%20O%3DBaltimore%2C%20C%3DIE%0AB1BC968BD4F49D622AA89A81F2150152A41D829C%20%20CN%3DGlobalSign%20Root%20CA%2C%20OU%3DRoot%20CA%2C%20O%3DGlobalSign%20nv-sa%2C%20C%3DBE%0AA8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436%20%20CN%3DDigiCert%20Global%20Root%20CA%2C%20OU%3Dwww.digicert.com%2C%20O%3DDigiCert%20Inc%2C%20C%3DUS%0A75E0ABB6138512271C04F85FDDDE38E4B7242EFE%20%20CN%3DGlobalSign%2C%20O%3DGlobalSign%2C%20OU%3DGlobalSign%20Root%20CA%20-%20R2%0A742C3192E607E424EB4549542BE1BBC53E6174E2%20%20OU%3DClass%203%20Public%20Primary%20Certification%20Authority%2C%20O%3D%22VeriSign%2C%20Inc.%22%2C%20C%3DUS%0A0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43%20%20CN%3DDigiCert%20Assured%20ID%20Root%20CA%2C%20OU%3Dwww.digicert.com%2C%20O%3DDigiCert%20Inc%2C%20C%3DUS%0A%0APS%20C%3A%5C%26gt%3B%20%24PSVersionTable%0A%0AName%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Value%0A----%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20-----%0APSVersion%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%205.1.20348.1%0APSEdition%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Desktop%0APSCompatibleVersions%20%20%20%20%20%20%20%20%20%20%20%7B1.0%2C%202.0%2C%203.0%2C%204.0...%7D%0ABuildVersion%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2010.0.20348.1%0ACLRVersion%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%204.0.30319.42000%0AWSManStackVersion%20%20%20%20%20%20%20%20%20%20%20%20%20%203.0%0APSRemotingProtocolVersion%20%20%20%20%20%202.3%0ASerializationVersion%20%20%20%20%20%20%20%20%20%20%201.1.0.1%0A%0A%0APS%20C%3A%5C%26gt%3B%20gwmi%20win32_operatingsystem%20%7C%20fl%20Caption%2C%20Version%2C%20BuildNumber%0A%0ACaption%20%20%20%20%20%3A%20Microsoft%20Windows%20Server%202022%20Datacenter%20Evaluation%0AVersion%20%20%20%20%20%3A%2010.0.20348%0ABuildNumber%20%3A%2020348%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EEDIT%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%40petercooperjr%20in%20the%20previously%20mentioned%20Let's%20Encrypt%20thread%20offered%20this%20feedback.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%20I%20don't%20know%20if%20it'd%20help%20whomever%20looks%20at%20it%2C%20but%20if%20you%20look%20at%20the%20Microsoft%20Trusted%20Root%20Program's%20page%20of%20their%20current%20trusted%20roots%2C%20you%20can%20see%20that%20ISRG%20Root%20X1%20is%20there.%20(And%20it%20looks%20like%20ISRG%20Root%20X2%20is%20there%20too!)%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsecurity%2Ftrusted-root%2Fparticipants-list%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Edocs.microsoft.com%3C%2FA%3E%20%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22phbits_0-1628221444675.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F301014i2841ECF8C5740C50%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22phbits_0-1628221444675.png%22%20alt%3D%22phbits_0-1628221444675.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsecurity%2Ftrusted-root%2Fparticipants-list%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EList%20of%20Participants%20-%20Microsoft%20Trusted%20Root%20Program%3C%2FA%3E%3C%2FP%3E%3CP%3EThis%20document%20provides%20details%20about%20the%20participating%20Certificate%20Authorities%20in%20the%20Microsoft%20Trusted%20Root%20Program.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2617629%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2022%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ecertificates%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPreview%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ERoot%20Certificate%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EServer%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2645918%22%20slang%3D%22en-US%22%3ERe%3A%20Server%202022%20Preview%20missing%20Let's%20Encrypt%20Root%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2645918%22%20slang%3D%22en-US%22%3EThe%20system%20has%20all%20security%20updates%20installed.%3CBR%20%2F%3E%3CBR%20%2F%3EConfirmed%20that%20CryptSvc%20is%20running%20with%20%60StartType%3DAutomatic%60.%3CBR%20%2F%3E%3CBR%20%2F%3ERestarted%20the%20service%3A%20%60Restart-Service%20-Name%20CryptSvc%60%3CBR%20%2F%3E%3CBR%20%2F%3EChecked%20Windows%20Update%20to%20find%20no%20new%20updates.%3C%2FLINGO-BODY%3E
New Contributor

First posted to LetsEncrypt.org and was advised to post this issue here.

 

https://community.letsencrypt.org/t/fyi-windows-server-2022-does-not-have-root-certificate/157208

 

At the time I'm writing this, Microsoft Windows Server 2022 has not been released and is only available in "Preview". Having said that I've installed the "Preview", installed all patches, and experienced the following errors when connecting to resources that use LE certificate. This happened when using Edge and Chrome.

 

Your connection isn't private
Attackers might be trying to steal your information from website.domain.com (for example, passwords, messages, or credit cards).

NET::ERR_CERT_AUTHORITY_INVALID

 

Firefox worked fine since it uses its own certificate store.

 

After adding the root certificate to the root store, all was fine.

 

The following output shows the certs currently in the root store by default as well as the PowerShell & OS version:

 

 

 

PS C:\> gci Cert:\LocalMachine\Root

   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root

Thumbprint                                Subject
----------                                -------
CDD4EEAE6000AC7F40C3802C171E30148030C072  CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com
BE36A4562FB2EE05DBB3D32323ADF445084ED656  CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, S=Western Cape, C=ZA
A43489159A520F0D93D032CCAF37E7FE20A8B419  CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c) 1997 Microsoft Corp.
92B46C76E13054E104F230517E6E504D43AB10B5  CN=Symantec Enterprise Mobile Root for Microsoft, O=Symantec Corporation, C=US
8F43288AD272F3103B6FB1428485EA3014C0BCFE  CN=Microsoft Root Certificate Authority 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
7F88CD7223F3C813818C994614A89C99FA3B5247  CN=Microsoft Authenticode(tm) Root Authority, O=MSFT, C=US
3B1EFD3A66EA28B16697394703A72CA340A05BD5  CN=Microsoft Root Certificate Authority 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
31F9FC8BA3805986B721EA7295C65B3A44534274  CN=Microsoft ECC TS Root Certificate Authority 2018, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
245C97DF7514E7CF2DF8BE72AE957B9E04741E85  OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Time Stamping Service Root, OU=Microsoft Corporation, O=Microsoft Trust Network
18F7C1FCC3090203FD5BAA2F861A754976C8DD25  OU="NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.", OU=VeriSign Time Stamping Service Root, OU="VeriSign, Inc.", O=VeriSign Trust Network
06F1AA330B927B753A40E68CDF22E34BCBEF3352  CN=Microsoft ECC Product Root Certificate Authority 2018, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
0119E81BE9A14CD8E22F40AC118C687ECBA3F4D8  CN=Microsoft Time Stamp Root Certificate Authority 2014, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
DF3C24F9BFD666761B268073FE06D1CC8D4F82A4  CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
D4DE20D05E66FC53FE1A50882C78DB2852CAE474  CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
B1BC968BD4F49D622AA89A81F2150152A41D829C  CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436  CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
75E0ABB6138512271C04F85FDDDE38E4B7242EFE  CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
742C3192E607E424EB4549542BE1BBC53E6174E2  OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43  CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

PS C:\> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.20348.1
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.20348.1
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1


PS C:\> gwmi win32_operatingsystem | fl Caption, Version, BuildNumber

Caption     : Microsoft Windows Server 2022 Datacenter Evaluation
Version     : 10.0.20348
BuildNumber : 20348

 

EDIT

@petercooperjr in the previously mentioned Let's Encrypt thread offered this feedback.

 

Thanks. I don't know if it'd help whomever looks at it, but if you look at the Microsoft Trusted Root Program's page of their current trusted roots, you can see that ISRG Root X1 is there. (And it looks like ISRG Root X2 is there too!)

docs.microsoft.com phbits_0-1628221444675.png

 

List of Participants - Microsoft Trusted Root Program

This document provides details about the participating Certificate Authorities in the Microsoft Trusted Root Program.

2 Replies
Please verify the following:

1. Open Services.msc and verify that the "Cryptographic Services" state is Running.
2. Run Windows Update. (Windows Cryptographic Services is responsible for downloading the root certificate from Windows Update once that chain is needed)

Thanks!
Elden
The system has all security updates installed.

Confirmed that CryptSvc is running with `StartType=Automatic`.

Restarted the service: `Restart-Service -Name CryptSvc`

Checked Windows Update to find no new updates.