Can someone guide me to set auto renew a wild card certificate on windows server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: fgcsoft.com

I ran this command: certbot certonly --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -d "*.fgcsoft.com" -d fgcsoft.com

It produced this output: It ask to create _acme-challenge TXT records on domain and then I got certificate files that I am using in IIS.

My web server is (include version): IIS 10.0.17763.1

The operating system my web server runs on is (include version): Windows 2019 Standard

My hosting provider, if applicable, is: VPS

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm, using a control panel to manage my site (no, or provide the name and version of the control panel): No, I am doing on IIS myself. I can create TXT records on Domain Provider i.e. rebel.ca

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.13.0

All the time when I renew it manually, the serial number of the certificate got changed. I am using a inhouse developed API to create a binding in IIS on my server, that need a certificate serial number, but in this case I need to update my API to use new Serial Number every time when I renew my certificate.

I found that I need to install some plugin in order to make it auto renew but, didn't find a proper guide on how to set it. Can someone guide me which plugin I can use and a proper user guide for that plugin.

Thanks
Manish

Wildcard certs require DNS-01 authentication.
That means the challenge request will go to your authoritative DNS servers.
AFAIK certbot 1.13.0 doesn't have a DNS plugin to automate renewals.
[which depends heavily on your DSP - and if they allow DNS updates via API]

Do you really need a wildcard cert?

2 Likes

Especially for Windows :wink:

3 Likes

Thanks rg305,

Yes, I need wildcard certificate as I provide my clients their own subdomain, the code base is same so I create multiple bindings. The subdomain is the key for me to recognize my client and provide access accordingly. I create multiple bindings in IIS on one site.

Do I need to update certbot? Which version/plugin support wildcard automation for windows?

1 Like

You might do better with another Windows client.
But, again, the most important part for automating wildcard certs is the DNS Service Provider and their allowing DNS updates via API.

3 Likes

@manish.sharma it's best to automate DNS challenges so that you don't have to perform manual DNS updates for every renewal, but that generally relies on the ACME client software you are using having compatible DNS provider support. On Windows you can try the app I develop: https://certifytheweb.com which also has integrated IIS support, there is a free community edition and it has many DNS providers or a Manual option. You can also look at win-acme or Posh-ACME if you prefer the command line.

I've had a quick look at your domain nameserver list and I suspect we don't support your specific DNS provider (Rebel) don't provide an API for updates. You could look at acme-dns or using our Certify DNS (hosted acme-dns) service Certify DNS | Certify The Web Docs

Regarding "serial numbers" the certificate will always change for every renewal because it's a different file, has a different serial and different thumbprint (hash), this is not avoidable so you need to automate your update steps.

4 Likes

@manish.sharma Note that outsourcing the (DNS) challenge to third parties in itself is a security risk, as that third party could, if they wanted to, perform the challenge on their own and get a certificate without your consent. Monitoring certificate transparancy logs should be able to pick up such issuances, but from a security point of view its always best to keep as much under your own controle as possible.

3 Likes

As noted in the linked documentation.

3 Likes

Thank you all for your valuable responses. It looks without DNS access, it is not possible. As I need a wild card certificate, looks buying a SSL for long period will be the last solution to avoid renewing and resetting sites in IIS every 3 months.

Thank you all

1 Like

If your VPS can respond to TCP&UDP port 53 [DNS], then you could "host" your own DNS server to satisfy the DNS-01 challenge requests.
And, thus, automate the renewal process.

4 Likes