**Cached order available but not used due to missing private key**

Was trying to renew a certificate. Which I do ever 3 months for years now, but this time was different. Went through all the DNS verifications (#6) . But was unable to create new certificate do to missing private key which is lost. Don't think I had one as a file. I never enter a path for --pkfile when I created a new certificate and never remember seeing a .PEM file created.

How do I delete the old certificate which is up for renewal and create a brand new one with no private key. Should I cancel or revoke the old certificate ??

Domain: mail.xlogic.com (one of many)

I use ACMEv2 wacs.exe (version v2.1.19.1138) as my client. The certificate is used on Exchange Server 2019. The .CSR file was created from Exchange.

Also saw error message 'Error finalizing order :: signature algorithm not supported' but not sure if this is related.

2022-09-29 10:36:31.125 -04:00 [WRN] ### Cached order available but not used due to missing private key
2022-09-29 10:36:31.358 -04:00 [ERR] Error requesting certificate [Csr] c:\share\xlogicssl.req
ACMESharp.Protocol.AcmeProtocolException: Error finalizing order :: signature algorithm not supported
at ACMESharp.Protocol.AcmeProtocolClient.SendAcmeAsync(Uri uri, HttpMethod method, Object message, HttpStatusCode expectedStatuses, Boolean skipNonce, Boolean skipSigning, Boolean includePublicKey, CancellationToken cancel, String opName)
at ACMESharp.Protocol.AcmeProtocolClient.FinalizeOrderAsync(String orderFinalizeUrl, Byte derEncodedCsr, CancellationToken cancel)
at PKISharp.WACS.Clients.Acme.AcmeClient.<>c__DisplayClass46_01.<<Retry>b__0>d.MoveNext() --- End of stack trace from previous location --- at PKISharp.WACS.Clients.Acme.AcmeClient.Backoff[T](Func1 executor, Int32 attempt)
at PKISharp.WACS.Clients.Acme.AcmeClient.Backoff[T](Func1 executor, Int32 attempt) at PKISharp.WACS.Clients.Acme.AcmeClient.Retry[T](AcmeProtocolClient client, Func1 executor, Int32 attempt)
at PKISharp.WACS.Clients.Acme.AcmeClient.Retry[T](AcmeProtocolClient client, Func`1 executor, Int32 attempt)
at PKISharp.WACS.Clients.Acme.AcmeClient.SubmitCsr(OrderDetails details, Byte csr)
at PKISharp.WACS.Services.CertificateService.RequestCertificate(ICsrPlugin csrPlugin, RunLevel runLevel, Order order)
at PKISharp.WACS.RenewalExecutor.GetFromServer(OrderContext context)
2022-09-29 10:36:49.983 -04:00 [ERR] Create certificate failed: No certificate generated for order Main
2022-09-29 10:37:47.936 -04:00 [INF] No command line arguments provided
2022-09-29 10:37:48.020 -04:00 [INF] Software version 2.1.22.1289 (release, pluggable, standalone, 64-bit) started
2022-09-29 10:37:48.023 -04:00 [INF] Connecting to "https://acme-v02.api.letsencrypt.org/"...
2022-09-29 10:37:48.421 -04:00 [INF] Connection OK!
2022-09-29 10:37:48.444 -04:00 [WRN] Scheduled task not configured yet
2022-09-29 10:37:48.445 -04:00 [INF] Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)

My guess is that it is the main reason for the failure. The message about missing key is probably a side effect of this.

Sadly, I don't know enough about Exchange to explain what to do. I'm sure another volunteer will at some point but perhaps this is enough to help until then. This CSR restriction just went into effect a couple weeks ago.

4 Likes

Hi @xlogic, and welcome to the LE community forum :slight_smile:

Has that been done?

Don't revoke a cert for such a reason.

Is this the first time doing this that way?

4 Likes

You nailed it Mike !!!

I reran ACMEv2 wacs.exe with a manual input of domain names instead of the CSR from Microsoft Exchange. The list is all my domain names in comma separated list. Had the new certificate created within two minutes. The problem as you said was nothing to do with the private key.

Thanks again

2 Likes

It was though [indirectly].
Exchange had the private key [needed to make the .CSR file].
But it never gave that to WACS - who needed it.
I'm not even sure there is any way to export a private key from Exchange before the cert request is completed.
hmm...

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.