Thanks to @My1 & @matt for their work in making changes to allow IE11 to both continue to work allow users of outdated clients to connect whilst also being “secure by default” - without additional config requirements in Caddy 1.0.0.
Notes for anybody having issues with IE11 on Caddy 1.0.0 with default TLS config:
- You will need to ensure your certificates are ECDSA and not RSA.
- Prior to Caddy 1.0.0 the default was RSA when requesting a certificate from Let’s Encrypt.
-
Certificates will be automatically renewed using ECDSA upon nearing expiry automatically so max 90 days.It looks like renewals occur using the existing RSA for those certificates created RSA, so manual expiry is required to switch over to ECDSA to get continue IE11 support, see post below
To ensure the an high IE11 user base domain was using the ECDSA and not RSA certificate I forced a certificate renewal. There is probably a better way than this (feel free to comment if there is).
Because I didn’t want all domains to re-request their certificates from Let’s Encrypt at the same time, potentially hitting limits I just forced one domain (in this case example.com) by removing the certificate and restarting caddy.
Note here I do www.example.com as well - don’t forget otherwise you might have example.com working and www.example.com not working in IE11.
mkdir ~/bkup-rsa-old-certs
mv /etc/ssl/caddy/acme/acme-v02.api.letsencrypt.org/sites/example.com ~/bkup-rsa-old-certs/
mv /etc/ssl/caddy/acme/acme-v02.api.letsencrypt.org/sites/www.example.com ~/bkup-rsa-old-certs/
sudo systemctl restart caddy
You can always look for errors in caddy’s logs by quickly running after the restart:
sudo journalctl -f -u caddy
In my case I could see that the new certificate was obtained without issue and testing IE11 connected correctly.