ACMESharp Submit-ACMECertificate Commandlet Failing

#1

Please fill out the fields below so we can help you better.

My domain is:bgedmhosting.com

I ran this command: Submit-ACMECertificate cert4

It produced this output:Submit-ACMECertificate : Error creating new cert :: authorizations for these names not found or expired:
a2bgdvedmweb01.bgedmhosting.com
At line:1 char:1

• Submit-ACMECertificate cert4
•   + CategoryInfo          : PermissionDenied: (ACMESharp.Vault.Model.CertificateInfo:CertificateInfo) [Submit-ACME
Certificate], AcmeWebException
+ FullyQualifiedErrorId : urn:acme:error:unauthorized (403),ACMESharp.POSH.SubmitCertificate



My operating system is (include version): Windows server2k12

My web server is (include version): IIS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

#2

As ACME-Sharp is a library rather than just a client you need articulate the entire script you have written.

By the looks of things you do have an authorisation for the certificate or need to create one.

Without your script it’s not possible to troubleshoot as you have given one line in a set of instructions.

Review: https://github.com/ebekker/ACMESharp
Review how a ACMESharp Script Could Look like: https://marc.durdin.net/2017/02/lets-encrypt-on-windows-redux

Andrei

#3

When cert was first generated below commands were executed. In order to renew I di not initialize the Vault and started from Identifier, replaced dns1 with dns2 and cert1 with cert4 to renew the cert.

•Install-Module ACMESharp

•Import-Module ACMESharp

•Initialize-ACMEVault

•New-ACMERegistration -Contacts mailto:ID -AcceptTos

•New-ACMEIdentifier -Dns arecord.domain.com -Alias dns1

•Complete-ACMEChallenge dns1 -ChallengeType dns-01 -Handler manual

Created the TXT record in Route 53 shown in the output of the above command, then continued with the steps below

•Submit-ACMEChallenge dns1 -ChallengeType dns-01

•(Update-ACMEIdentifier dns1 -ChallengeType dns-01).Challenges | Where-Object {\$_.Type -eq “dns-01”}

•New-ACMECertificate dns1 -Generate -Alias cert1

•Submit-ACMECertificate cert1

•Update-ACMECertificate cert1

•Get-ACMECertificate cert1 -ExportPkcs12 “c:\path\to\cert.pfx” -CertificatePassword ‘securepassword’

#4

Review:

Specifically:

How do I do renewals? Official support for renewals has not yet been implemented (i.e. via the renewal support of the underlying ACME protocol). However a workable kludge is to simply request a new certificate using the existing Validated Identifier (i.e. the same DNS name that you have already proven that you are the owner of). Once a DNS Identifier is verified, the verification is valid for a little over a year (after that time, you’ll need to re-verify your ownership). Simply, create a new Certificate Request and reference the same Identifier as before. See this issue for more details. Update: due to the recent changes in Authorization process - this kludge is no longer working (see few last comments on issue 167 ). Domain authorization expires after 60 day and default domain certificate expiration is 90 days.

Andrei

#5

Thank a lot. I have a dev env with a cert issued by Let’s Encrypt which expires on 1st May. Does that mean I can’t renew it and should switch to the traditional CA.

#6

Not at all - it just means that you need to create a new authorization which will pass.

When you create the first certificate (the library in the backend) you create an authorisation which is stored for a limited time and is what is the library uses to tell Boulder (LetsEncrypt) what it should check.

I am focusing on Certbot on Windows at the moment so have not had as much time to review the ACMESharp Library.

It is something that catches a lot of people out. There is no “renewal” as such. What you are actually doing when you renew a certificate is issuing a new certificate (whether it’s a paid CA or LetsEncrypt). The term renewal is often used to make it simpler to understand.

From this Github issue: https://github.com/ebekker/ACMESharp/issues/57

ebekker commented on Feb 14

The early versions of the ACME protocol actually did account for optional support by the CA for renewals and many moons ago, when an Identifier validation (i.e. a validated DNS name) actually lasted more than a couple of months, it was possible to perform a true renewal, but because that was not necessary to support a working ACME client, it was not initially implemented.

Just as @AHandless indicated, as the ACME spec has evolved, they actually simplified this area and eliminated the renewal support in the protocol, and likewise the actual LE CA implementation shortened the life of an Identifier validation period so that it expires after only a couple of months. Since the validation period is now shorter than the life of an issued certificate, it effectively requires that you re-validate each time you renew your certificate.

(In retrospect, it was a good thing that true renewals were not implemented as that would have been wasted work since it’s no longer supported or allowed.)

Renewals are now exactly the same as new requests. You need to validate the Identifier (i.e. the DNS name) with each renewal just as the new request, and then you need to request a new certificate with the validated Identifier. There are numerous references in tickets and the wiki that point you to other folks’ work that simplifies this process, either manually through video tutorials or even scripts that will automate this for you.

I do eventually plan on adding native support to the ACMESharp tools to make this process easier, but there is lots of community-provided support already there to make it usable.
@masbicudo
masbicudo commented on Feb 18

I am trying to revalidate the domain as you suggested. When using CompleteChallenge, I use Force and Regenerate flags, but the challenge is the same as the previously already validated one (same key and same well-known path). Then I call SubmitChallenge, also with Force. Do I need to complete challenge again? Or just calling SubmitChallenge is enough?
@ebekker
Owner
ebekker commented on Feb 25

You need to execute Complete-Challenge again.
@mamama1
mamama1 commented 18 days ago

To sum things up - you are saying, that after about 60 days, when the certificate is about to expire within the next 30 days, I have to revalidate my ACMEIdentifier to request a renewal certificate, right?

So to accomplish this, I won’t do “New-ACMEIdentifier” again, because I already have one, right?
I’ll do

Complete-ACMEChallenge "myAlias" -ChallengeType whatever -Handler whatever
do whatever needs to be done for the challenge to be successful (dns entry or whatever)
Submit-ACMEChallenge "myAlias" -ChallengeType whatever
wait until status is valid
Request new Certificate using New-ACMECertificate and Submit-ACMECertificate as usual


Did I miss something or is this right now the way to go to renew certificates?
I have finished automating the request of new certs using DNS challenge (my DNS offers an XML interface I can use with “Invoke-WebRequest”) and now I’d like to finish automatic renewal.

thanks
@ebekker
Owner
ebekker commented 18 days ago

Read my comments above – there is really no longer any distinct renewal* operation because of the current expiration times, so you need essentially need to start with the very beginning of the process (except for the account registration) every time, so begin with New-ACMEIdentifier. You can’t issue Complete-ACMEChallenge with being presented with a set of challenges which is what New-ACMEIdentifier does.

Andrei

LE ACME-Exchange.ps1 Exchange 2016 Renewal issues
#7

Sorry, but I did not get the picture, I am using alias dns2 instead of dns1 to renew though underlying A record is same. Does that mean I need to create a new A record in DNS and then start from identifier?Please let me know if my understanding is correct.

#8

no it is not correct

this is nothing to do with your DNS but more to do with the way the ACME protocol and LetsEncrypt works

Unfortunately I don’t have more time to give you but read the github issue carefully and try the code suggested

Andrei

#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.