Certbot renewed cert but I can't bind it to connectwise control

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: helpmecpos.com

I ran this command:

It produced this output: renewed cert successful

My web server is (include version):

The operating system my web server runs on is (include version): windows 10

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.8.0

I am running connectwise control on this box and have to bind the cert to this software. I have a ticket open with them. My question is about the renewal process. It created a 2nd working directory labeled -0001 appended to the original directory (where the csr and key is located) and certbot placed the cert, chain, fullchain, and privkey here in -0001 as symbolic links. Those links point to a Certbot archive directory where the actual PEM files are located. I think this symbolic link has made the connectwise control ssl configurator tool to not being able to find the certificate correctly.
I get this message:
? 4
Looking for file "C:\certbot\live\helpmecpos.com\ScreenConnectPrivateKey.key" ...
Found "ScreenConnectPrivateKey.key".

Detecting your certificate...

Could not find valid certificates in "C:\certbot\live\helpmecpos.com".
Couldn't find a matching certificate. Returning to menu.
Press any key to continue . . .

Any of you have experience with connectwise control or this symbolic linking?

2 Likes

Hello Doug :slightly_smiling_face:

That's not a normal renewal. That's a duplicated certificate entry.

Run the following and note the name of each certificate and what domains it covers:

certbot certificates

You'll probably find that you have multiple certificates under different names that cover the same domain names.

You can delete the unneeded duplicates with:

certbot delete --cert-name name

Abracadabra!? :face_with_raised_eyebrow:

Did I miss something in here?

Hey guys I found it! Deleted!? Detected!

Oop. Lost it.

:woozy_face:

2 Likes

"Detecting" rather than "Deleting" :slight_smile:

2 Likes

Hi All, I'm back at this today. Yes, I had two extra certificates created. I ran the delete and it looks like I am back to normal with an existing certificate with a March expiry date. I guess this means I should be able to now bind this cert to the connectwise software. Thanks!
I'll see what happens in 87 days - hopefully it will auto-renew and I won't create dupes again.

I ran a dryrun that failed. I'll troubleshoot that and report back.

I must've hosed it messing around with the symlinks trying to figure out why I generating new certs. This worked three months ago.

PS C:\Windows\system32> certbot renew --dry-run
Saving debug log to C:\Certbot\log\letsencrypt.log


Processing C:\Certbot\renewal\helpmecpos.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for helpmecpos.com
Waiting for verification...
e[31mChallenge failed for domain helpmecpos.come[0m
http-01 challenge for helpmecpos.com
Cleaning up challenges
e[31mAttempting to renew cert (helpmecpos.com) from C:\Certbot\renewal\helpmecpos.com.conf produced an unexpected error: Some challenges have failed.. Skipping.e[0m
e[31mAll renewal attempts failed. The following certs could not be renewed:e[0m
e[31m C:\Certbot\live\helpmecpos.com\fullchain.pem (failure)e[0m


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
C:\Certbot\live\helpmecpos.com\fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


e[31m1 renew failure(s), 0 parse failure(s)e[0m
e[1m
IMPORTANT NOTES:
e[0m - The following errors were reported by the server:

Domain: helpmecpos.com
Type: connection
Detail: Fetching
http://helpmecpos.com/.well-known/acme-challenge/IJqAv2KljzM2CO0DW2DY-8YkhUMW35UTrUYd4lO9sL0:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
PS C:\Windows\system32>

I ended up deleting all certificates and am starting from scratch.

I have two step process to follow with connectwise software. It's configurator provides me a CSR and private key. I assume that certbot should know what to do with the CSR. But I am not sure nor am I sure if I am doing it right. I changed the powershell directory to the directory I have placed the CSR. I ran:
certbot certonly --test-cert
and it fails at the challenge steps.

Saving debug log to C:\Certbot\log\letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): helpmecpos.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for helpmecpos.com
Waiting for verification...
e[31mChallenge failed for domain helpmecpos.come[0m
http-01 challenge for helpmecpos.com
Cleaning up challenges
e[31mSome challenges have failed.e[0m
e[1m
IMPORTANT NOTES:
e[0m - The following errors were reported by the server:

Domain: helpmecpos.com
Type: connection
Detail: Fetching
http://helpmecpos.com/.well-known/acme-challenge/u_4ssjlJc0ezINrTMdmxH5TJ8r7I3Fb6lP28_BK9jnw:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

OMG - got it.
certbot certonly --csr ScreenConnectCertSignRequest.csr.pem --standalone
now onto binding the thing to the port

After a lot of gnashing of teeth, I got the certificate to bind with port 443 via the connectwise ssl configurator. Steps are documented below. Since I completely blew away my initial ssl certs and started fresh, I'll test the dry run renewal and post results and steps needed specifically for connectwise.

SSL Certificate Install for ConnectWise Control For Windows:
Use SSL Configurator (run as admin) from ConnectWise to create the CSR and PrivateKey. Make sure to change the working directory to your file location.


You'll run steps 1,2, and 3 from the link above. The CSR will have a CSR extension, from command prompt - rename the file by adding the PEM extension so Certbot can use it.
ie: rename csrfile.csr csrfile.csr.pem
Use Certbot via PowerShell (run as admin) to take the CSR and create a certificate,
change directory to the working directory above. In powershell, run:
certbot certonly --csr csrfile.csr.pem --standalone
Certbot creates several PEM files including one with cert in it (the certificate file - ie: 000_cert.pem). You'll need to rename this file from command prompt with a CER extension for SSL Configurator to use it.
ie: rename 0000_cert.pem 0000_cert.pem.cer
Then go back to SSL Configurator and run step 4. It should all be successful. Check the screen response as well as any logs.
After install - try a dry run renewal:
In powershell: certbot renew --dry-run
Troubleshooting (non-inclusive):
You may have to unbind an existing port443 cert. (See directions at connectwise). This would be a failure in step 4.

After the unbind, reboot your computer. Then rerun step 4 (make sure your step 1 working directory is correct).
Step 5 for PFX does not pertain here.
Step 6 review logs.
Test your connection.
1 Like

By the by, if you have damaged your certbot symlinks, you can use the following command to fix them:

certbot update_symlinks

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.