Certbot + auto-renew + IIS + Windows Routing and Remote Access

Certbot renewed certificate for my domain registered it fine with IIS.
Thing is the very same certificate was being used for Windows Routing and Remote Services for accessing the server through VPN.
Certbot did now renew it with this service which begun causing all the VPN connections to be dropped (even though the previous cert was still valid and active, due to the discrepancy between the cert used by IIS and Routing Service the connection was dropped immediately after SSTP tunnel created).

Now I'm trying to export the new cert from IIS and make it available for SSTP.


  1. Where is the renewed certificate? I do not see it within LIVE directory or any other certbots directories?
  2. The renewed certificates' private key is marked as non-exportable which prevents export right from the IIS' UI, why so?

Thanks for great service!

So although a certificate can be stored in the windows certificate store different services will link to the certificate in different way. Most microsoft services link to certificates using the current certificate thumbprint hash which is different every time you renew the certificate. So, every time you renew your certificate you also need to re-apply it to all the services that need it e.g. IIS https Bindings, SSTP, RDP Gateway, Exchange services etc.

Certify The Web (https://certifytheweb.com - which I develop) actually has a basic built in deployment task for SSTP VPN (and built in support for IIS) but the topic of how to cleanly apply the cert to SSTP and related services without having to reboot the server is potentially quite complex: Windows Server Essentials 2016 Access Anywhere Certificate renewal script · Issue #519 · webprofusion/certify · GitHub

Note that certbot (to my knowledge) doesn't import the certificate to the windows certificate store, so you must have some other step that's doing that (and marking the private key not exportable).

indeed, that was not certbot what I had used. It was Win-ACME as I now recall there was no 'easy' way to get certbot do what I wanted at all (incompatible cert formats etc.) The other can import to windows store do auto-renewals , run as service and is so much easier to use. Just gotta sort this out.

Update: for now I just wanted to let you know that my problem is solved. As it's urgent I simply enabled private key export as according to https://www.win-acme.com/manual/advanced-use/private-key-management tried to get the pfx plugin to work but the cert did not end-up in the set directory. So anyway, I exported the cert (now exportable) from the Windows UI (cert manager) and selected it in Routing services. 5 minutes and done all works.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.