ACME Challenge Multiple Domains?

dbeck · December 13, 2019, 5:33pm

Running on Windows server with IIS 7.5. Can’t run CERTBOT, of course as thats UX only.

I need to create a SAN certificate that has the primary CN along with a number of other alternate names.

Eg. example1.com, example2,com, example3.com

I am not sure how to best handle the ACME challenge. Apparently I can only use DNS rather than the challenge file on the server? I run the following “not live” test:

le32.exe --key private.key --csr sslcert.csr --csr-key private.key --crt myNew.crt --domains “example1.com,example2.com,example3.com” --handle-as dns --generate-missing

And it comes back with:

2019/12/13 11:30:14 [ ZeroSSL Crypt::LE client v0.34 started. ]
2019/12/13 11:30:14 Loading an account key from private.key
2019/12/13 11:30:14 Loading a CSR from sslcert.csr
2019/12/13 11:30:16 Registering the account key
2019/12/13 11:30:17 The key is already registered. ID: 11791325
2019/12/13 11:30:17 Failed to receive the challenge. Method not allowed

What do I need to do to obtain the info needed to put in the DNS?

JuergenAuer · December 13, 2019, 5:37pm

Hi @dbeck

there is a change of the Letsencrypt API. GET -> POST.

So using GET if a POST is required -> that's the error message "Method not allowed".

Looks like your client is too old. So first step: Update your client.

dbeck · December 13, 2019, 6:08pm

Thank you! That was indeed the problem. I updated to LE64.exe and got past the problem. Now the error I’m receiving says:

2019/12/13 12:00:34 Could not load a CSR: The list of provided domains does not
match the one on the CSR.

I created a file called san.cnf that looks like the following:

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = Minnesota
localityName = Isanti
organizationName = myorgname
commonName = www.example.com
[ req_ext ]
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth

subjectAltName = @alt_names
[alt_names]
DNS.1 = www.example.com
DNS.2 = www.example2.com
DNS.3 = example2.com
DNS.4 = mail.example2.com
DNS.5 = example3.com
DNS.6 = www.example3.com
DNS.7 = mail.example3.com
DNS.7 = example4.com.com
DNS.9 = www.example4.com
DNS.10 = mail.example4.com

I then ran the following to create the CSR:

openssl req -out sslcert.csr -new -key private.key -nodes -subj “/C=US/ST=Minnesota/L=Isanti/O=myorgname/CN=www.example.com” -config san.cnf

I then used an online tool to validate the CSR (it looked okay to me)

Do you see anything I’m doing wrong in the CSR?

Thanks!

rg305 · December 13, 2019, 6:17pm

I think you may be overcomplicating the process by creating the CSR.
[that will be done by LE64]
I just pass all the required names in the command line.

dbeck · December 13, 2019, 6:26pm

RG305

Thank you. I tried your suggestion and received this error message:

2019/12/13 12:24:37 [ ZeroSSL Crypt::LE client v0.34 started. ]
2019/12/13 12:24:37 Incorrect parameters - need CSR file name specified.

rg305 · December 13, 2019, 6:33pm

Here is an example of what I use.
[feel free to modify it to fit your needs]

# change to folder where this script and files are located
c:
cd \new_certs

rem create RSA cert ###########################################
if exist rsa.public.key (
    echo RENEWING RSA
    le64.exe --key account.private.key --csr delete.me.csr --csr-key rsa.private.key --crt rsa.public.key --domains "example.com,www.example.com,example.net,www.example.net" --path "c:\ACME\.well-known\acme-challenge" --generate-missing --unlink --handle-as http --live --renew 30 --email "le.user@example.com"
  ) else (
    echo NEW RSA
    le64.exe --key account.private.key --csr delete.me.csr --csr-key rsa.private.key --crt rsa.public.key --domains "example.com,www.example.com,example.net,www.example.net" --path "c:\ACME\.well-known\acme-challenge" --generate-missing --unlink --handle-as http --live
  )
del delete.me.csr
rem end RSA cert ###########################################

rem create ECC cert ###########################################
if exist ecc.public.key (
    echo RENEWING ECC
    le64.exe --key account.private.key --csr delete.me.csr --csr-key ecc.private.key --crt ecc.public.key --domains "example.com,www.example.com,example.net,www.example.net" --path "c:\ACME\.well-known\acme-challenge" --generate-missing --unlink --handle-as http --live --renew 29 --email "le.user@example.com"
  ) else (
    echo NEW ECC
    le64.exe --key account.private.key --csr delete.me.csr --csr-key ecc.private.key --crt ecc.public.key --domains "example.com,www.example.com,example.net,www.example.net" --path "c:\ACME\.well-known\acme-challenge" --generate-missing --unlink --handle-as http --live
  )
del delete.me.csr
rem end ECC cert ###########################################

echo ---------------------------------
rem copy new certs to http conf folder
xcopy C:\new_certs\*.public.key C:\HTTP\conf\SSL /y

rg305 · December 13, 2019, 6:37pm

Perhaps all you really need is to just "name" the csr that will be used:
[any name will do - but be sure to delete it after each use]

dbeck · December 13, 2019, 7:38pm

I’m going around in circles. This shouldn’t be that hard. It’s not my first rodeo.

I’m getting this error again:

2019/12/13 13:09:47 [ ZeroSSL Crypt::LE client v0.34 started. ]
2019/12/13 13:09:47 Loading an account key from private.key
2019/12/13 13:09:47 Loading a CSR from sslcert.csr
2019/12/13 13:09:49 Registering the account key
2019/12/13 13:09:50 The key is already registered. ID: 11791325
2019/12/13 13:09:50 Failed to receive the challenge. Method not allowed

That is with the latest LE64 client. Is there some other windows based client I should be using? I’m running version 0.34 which is the latest.

rmbolger · December 13, 2019, 9:27pm

There are a number of Windows clients listed on the ACME Client Implementations page.

As the author, I'm partial to Posh-ACME. It's PowerShell based and particularly good for DNS challenges with plugins supporting a wide variety of DNS providers. However, it only takes care of getting the cert. To deploy it to IIS automatically, you'll need some additional code or a companion module like Posh-ACME.Deploy (currently alpha).

Here's a link to the tutorial if you're interested. But at the most basic level with manual TXT record creation, here's the command you'd use.

New-PACertificate example1.com,example2.com,example3.com -AcceptTOS

dbeck · December 13, 2019, 10:35pm

mbolger

I’m going to start working with Posh-ACME to see if I can get it working. I want to get it to work with the SimpleDNS plug-in, too. If you’re around this afternoon and evening I may post some questions here if I get stuck. I’m just reading the tutorial now!

rg305 · December 13, 2019, 11:09pm

I would still like to see the LE64 command you ran and maybe some detail - like which files mentioned exist or don’t exist.
And maybe compare that to the “examples” I provided.

dbeck · December 14, 2019, 1:41am

RG305

Posh-Acme smokes LE64. It is super slick! I haven’t created the final certificate yet but I had it create a test certificate and automatically update my DNS server with the challenge/response TXT record.

You should take a look at it.

rg305 · December 14, 2019, 2:52am

Preaching to the choir.
But do go on!

Been there - it is indeed super ultra slick.
But that is a very big candy stick in a very sweet candy store and not suitable for every palette.
[there is no one-size-fits-all on that menu]
So, again, I would still like to see why LE64 failed to meet your needs.
[not to stop you from using anything else - especially not Posh-ACME - I promote it every chance I get]

Like right now:
Posh-ACME 2020! Vote Posh-ACME 2020!
"Let’s make America encrypted again."
"We're all encrypting together."

leader · December 14, 2019, 8:20am

The error you are observing is related to the breaking change in STAGING environment only. Using --live option will work just fine.The source code has been updated about a week ago, the new binaries for the v0.35 will be updated today. See:

Please note that the Crypt-LE was never intended to be “super slick” - it is there to do the job while being portable and self-sufficient and run as a command-line tool which you can wrap into whatever process you want (including some GUI on top if anyone is keen to build it). So you have your options indeed. Perhaps someone might even advertise le64 in the same manner as above one day, without hijacking the original thread though

leader · December 14, 2019, 8:31am

A quick note on:

2019/12/13 12:00:34 Could not load a CSR: The list of provided domains does not
match the one on the CSR.

When you run LE64, and the list of domains is provided on the command line and also a CSR file already exists, one of the checks done is to make sure that you are issuing certificates for what you actually intend to issue them for. So the list of domains is extracted from CSR and compared against the list provided on the command line. If there is a mismatch, you will see an error as shown above. If you are sure that the list of domains on the command line is right, just delete your current CSR and re-generate it (either by yourself or by letting the client to do so with -generate-missing). If you believe it is the CSR list that is correct, you can just remove the domains list from the command line.

leader · December 14, 2019, 8:59pm

The binaries have been updated to v 0.35: https://github.com/do-know/Crypt-LE/releases

system · January 13, 2020, 9:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.