NetTalk and SSL

blue · July 5, 2024, 12:37pm

Hello everyone,

Does anybody uses NetTalk and SSL certificate generated within NetTalk itself?

I get message in Firefox:

…Cannot communicate securely with peer: no common encryption algorithm(s).

Error code: SSL_ERROR_NO_CYPHER_OVERLAP

And in Edge:

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

All fields have necessary data, as written in help. OpenSSL can be started on server. DNS is updated to correct IP address. NetTalk version is 12.63. Server version is Windows 2022.

When I double click on CSR file for domain I get this message:

I do not know is this desired behavior?

Bruce · July 5, 2024, 6:39pm

I would not describe that as desirable behavior. How did uou generate the certificate?

blue · July 6, 2024, 10:21am

I upgraded to version 14 and that helped, since it has a more log data. Server is on AWS, and only ports allowed from the internet to the server are 80 and 443, when certificate creation is started connection is blocked. When I allowed all traffic in ACL, the test certificate was created correctly.

This is a little problem, Let’s Encrypt does not publish it’s IP range, and addresses are changed…

Bruce · July 6, 2024, 7:34pm

The LetsEncrypt protocol only uses port 80 for incoming. But most of the conversation happens with the server making an outgoing connection to LE.

Im not sure how the IP address comes into play, umless you are blocking outgoing connections to remote port 443.

blue · July 8, 2024, 9:06am

It seems to be that the other ports are used for incoming connection. When ACL in AWS is set like this:

The message in NetTalk is:

[ 7/08/24-10:47:56] -53 The requested connection to acme-staging-v02.api.letsencrypt.org could not be opened. The Open command timed out or failed to connect

And when I try to open URL, the message is:

When I change the rule no. 130 to allow:

And generate certificate, then it is desired behavior for test certificate when I try to open the domain. Message is:

elliteharry · September 5, 2025, 9:18am

I’ve seen the same issue when using NetTalk with its own generated SSL certificate. The browser errors like SSL_ERROR_NO_CYPHER_OVERLAP in Firefox or ERR_SSL_VERSION_OR_CIPHER_MISMATCH in Edge usually mean the server and browser can’t agree on a TLS version or cipher. By default, modern browsers only allow TLS 1.2+ with strong ciphers, while NetTalk’s built-in SSL might be using older ones. A good fix is to use a certificate generated with OpenSSL or from a trusted CA and make sure TLS 1.2 is enabled in NetTalk. That solved the mismatch problem for me. You can find the error solution at:- CheapSSLWEB. com

Bruce · September 6, 2025, 5:11am

Just FYI ‐ the default for NT14 is TLS 1.3, dropping to TLS 1.2 if the client doesnt support 1.3. By default it wont drop below 1.2.

Bruce · September 6, 2025, 5:13am

Test certificates do not gave a valid CA hence the message. Untick test, and you get a valid one.

blue · September 8, 2025, 1:03pm

I can confirm that there are no problems with certificate. As Bruce wrote, just do not use test. Also, open all ports during process.

Bruce · September 8, 2025, 6:24pm

Only port 80 has to be open (as an incoming port). It can even be handled by a different server (it doesnt have to be serviced by the NetTalk server.)

The secure port (which doesnt have to be 443) doesnt need to be active to get the certificate.

If Port 80 is not possible, then one can switch from HTTP challenge to DNS challenge. Its a bit more work to setup, but allows for certificates on Networks that block port 80.

blue · September 10, 2025, 8:00am

With AWS does not work only with port 80. I have to allow all traffic in ACL. At least that was my solution. So when it is time for new certificate, I allow all traffic temporarily and then block when it is finished. That lasts about 30 seconds.

I do not know if this is necessary for other cloud providers, and does certification works with only port 80 when server is in local network. I did not had an opportunity to test it.

Rick_UpperPark · September 10, 2025, 3:15pm

You should recheck your AWS instance security group settings.
You do not need to open all ports to get a Let’s Encrypt certificate.
I have several setup, both using NetTalk and WinAcme to acquire certificates from LE.
The only ports I have open are 80 and 443 to any IP address and the RDP port open to a specific list of IPs for remote access.
That’s it. Just 3 ports.