Windows 10 + hMailserver + Abyss web server (five domains) Trying use console win-acme.exe to set-up ACME to issue certificates to encrypt SMTP communication. Download Win-ACME console app. Started it by
Step: Entered comma separated list of domain names
In fourth step, program behave differently depending if its started as Administrator or not. If started as regular user, it ask "Save verification files on (network) path" and accept path to local directory. Then ask for "Copy default web.config to the .well-known directory" (answered [default] no) and than tell me "Store plugin CertificateStore not available: Run as administrator to allow certificate store access".
But when try to run program as Admin, it ask to confirm "Terms of use", than ask for email address and start printing lines:
Plugin Manual generated source domain1.com with 5 identifiers
Plugin Single created 1 order
Cached order has status invalid, discarding
[domain2.com] Authorizing...
[domain2.com] Authorizing using http-01 validation (SelfHosting)
Unable to activate listener, this may be because of insufficient rights or a non-Microsoft webserver using port 80
An error occured while commiting validation configuration: The process cannot access the file because it is being used by another process.
An error occured during post-validation cleanup: Cannot access a disposed object.
Object name: 'System.Net.HttpListener'.
[domain1.com] Deactivating pending authorization
[domain2.com] Deactivating pending authorization
[domain3.com] Deactivating pending authorization
[domain4.com] Deactivating pending authorization
[domain5.com] Deactivating pending authorization
Create certificate failed, retry? (y/n*)
Have zero experince, expect I will just specify some URL on my web server where I put some specific content for validation? What am I doing wrong? Why it behave differently under different credentials?
When a windows program asks you to run as Administrator it doesn't specifically mean the administrator user account, it means any account in the Administrators group but running from an elevated command prompt [Right click command prompt, Run As Administrator]. Your description suggests that you instead logged in as the Administrator user and the "terms of use" part means it was setting the app up all over again.
Certificate management can be complex and if you're not experienced as a system administrator I would recommends finding someone who is, unless this is just for a personal project and not a company etc.
That app requires admin privileges so it can listen on port 80 (for the "selfhosting" part) and so it can write your certificate to the machine certificate store (among other things). In addition if you are already running a process on port 80 (e.g. your Abyss web server, which I've incidentally never heard of, on windows most people use IIS which is Microsofts built in web server) then self hosting won't work unless you stop your web server process.
I want to learn this process o ACME certification management.
People use various web servers, hope the Abyss can by used too. Communications protocols are standardized thing, so it should not mind which implementation is used. But thanks for your notice about port 80, I am not read this in documentation.
win-acme may or may not be compatible with gsudo, you would need to ask on their github discussions.
Yes you can absolutely try to use any software or web server you want to, my comment was just in case you were unaware of what the standard methods are and were just reaching for the first thing you found.
Do you have some evidence of incompatibility Gsudo and win-acme? Anything could be incomatible with anything, this type of generic doubts are not productive.
Clearly I have misinterpreted your "Have zero experience" comment. win-acme needs to runs as an elevated command prompt and the original output you provided wasn't an elevate command prompt. The errors you provided were all related to not running as an Administrator.
If you run the app as an administrator and allow the app to self host normally over TCP port 80 it will start it's own HTTP challenge listener via http.sys, this in turn will temporarily act as the web server just for http://*/.well-known/acme-challenge requests and it will complete the HTTP challenge responses for you. That way you don't have to configure paths for validation content via any other web server etc.
Thanks for point with port 80 and administrators right. Now I am facing error message:
[host.com] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"%ip_address%: Invalid response from http://host.com/.well-known/acme-challenge/%long_string%: 404","status":403,"instance":null}
could it be because of win-acme testing DNS settings, but it A record for required domain is pointed to %ip_address% which is public address of different machine? As I am creating ACME certificates for mailserver, MX records are piointed to this machine only.
HTTP domain validation generally requires that the identifier (domain) you want to include on the certificate points to the same machine that's asking for it, so that the ACME client can make sure the correct response is served.
If the A record points to some other machine then use DNS validation instead, or acquire the cert on the correct machine then deploy the certificate to your service either manually or with scripting.
Certificate successfully created, Thanks to all contributors for assistance. I had finaly use DNS authentication, win-acme do NOT start web server on port 80 in this case (tested by netstat -abnop tcp | findstr ":80" on program runtime).
Now I have to transcript used single menu options into a command line script, and create another script handling SimpleDNS Plus API to make possible certificate auto-renewal.