Centralized SSL is only supported on IIS8+

mbutler · June 28, 2021, 7:43pm

I am converting/upgrading from letsencrypt (win simple) and am having trouble duplicating the previous command line with the new wacs.exe tool.

My domain is: mail.marxware.com

I ran this command: wacs.exe --target manual --host mail.marxware.com --store centralssl --centralsslstore "G:\IIS\CCS" --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'"

It produced this output: A simple Windows ACMEv2 client (WACS)
Software version 2.1.17.1065 (release, trimmed, standalone, 64-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...
Scheduled task not configured yet
Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)
Running in mode: Unattended
Target generated using plugin Manual: mail.marxware.com

Requesting certificate [Manual] mail.marxware.com
Store with CentralSsl...
Copying certificate to the CentralSsl store
Saving certificate to CentralSsl location G:\IIS\CCS\mail.marxware.com.pfx
Installation step 1/2: IIS...
Centralized SSL is only supported on IIS8+
(InvalidOperationException) Unable to install certificate: Centralized SSL is o
nly supported on IIS8+
Create certificate failed: Install failed: Centralized SSL is only supported on
IIS8+

My web server is (include version): IIS 7.5

The operating system: Windows Server 2008 R2

My hosting provider, if applicable, is: local server

The version of my client is: 2.1.17.1065

I used to use letsencrypt.exe with the following parameters:
letsencrypt.exe --centralsslstore "G:\IIS\CCS" --accepttos --webroot "c:\inetpub\wwwroot" --manualhost "MAIL.Marxware.com"

_az · June 28, 2021, 9:41pm

If you're using IIS 7.5, perhaps just remove these options?

The documentation says that the default store is Windows Certificate Store. That should work with IIS 7.5, right?

webprofusion · June 29, 2021, 3:12am

Your IIS does not support CCS, so the app is technically correct. Probably the old version let you write out the PFX to the folder anyway, but you weren't using it via CCS on that machine. CCS requires SNI to match certs to sites, which isn't available on Windows Server before 2012. I'm guessing you are probably not load balancing across multiple servers (are you?), which is what CCS is for.

As @_az suggested you should just use the local computer certificate store (the default) or just use the option to write out a file (win-acme).

You also need to urgently move your stuff to a newer version of Windows Server as Server 2008 R2 is not supported by Microsoft and is not receiving security updates, unless you have made special arrangements with Microsoft for extended support.

system · July 29, 2021, 3:12am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.