Thanks to @My1 & @matt for their work in making changes to allow IE11 to both continue to work allow users of outdated clients to connect whilst also being “secure by default” - without additional config requirements in Caddy 1.0.0.
Notes for anybody having issues with IE11 on Caddy 1.0.0 with default TLS config:
- You will need to ensure your certificates are ECDSA and not RSA.
- Prior to Caddy 1.0.0 the default was RSA when requesting a certificate from Let’s Encrypt.
Certificates will be automatically renewed using ECDSA upon nearing expiry automatically so max 90 days.
To ensure the an high IE11 user base domain was using the ECDSA and not RSA certificate I forced a certificate renewal. There is probably a better way than this (feel free to comment if there is).
Because I didn’t want all domains to re-request their certificates from Let’s Encrypt at the same time, potentially hitting limits I just forced one domain (in this case
example.com) by removing the certificate and restarting caddy.
Note here I do
www.example.com as well - don’t forget otherwise you might have
example.com working and
www.example.com not working in IE11.
mv /etc/ssl/caddy/acme/acme-v02.api.letsencrypt.org/sites/example.com ~/bkup-rsa-old-certs/
mv /etc/ssl/caddy/acme/acme-v02.api.letsencrypt.org/sites/www.example.com ~/bkup-rsa-old-certs/
sudo systemctl restart caddy
You can always look for errors in caddy’s logs by quickly running after the restart:
sudo journalctl -f -u caddy
In my case I could see that the new certificate was obtained without issue and testing IE11 connected correctly.