Certificate is is not auto renewed on Windows server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: scada-international.com

I ran this command: Task schedule updating certificate every day at 9 AM

It produced this output:

My web server is (include version): Windows 2016 version 1607

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): wacs 2.0.8.356

My certificates are not automatically being renewed on my server (I has been working), but I can do it manually by running the same script as the Task manger (it is running as admin). Every time it tries to renew the certificate it throws an event in Windows event log (see below).

In the last month I also have had issues that the certificate are being lost on my website, then I need to select it again in binding in IIS, I don't know if is is related ?

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user SCADAOVDEMO\Administrator SID (S-1-5-21-1203903011-3128385231-1205726625-500) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Hello @pnrdk, welcome to the Let's Encrypt community. :slightly_smiling_face:

There is a newer version Release v2.1.23 · win-acme/win-acme · GitHub
And here is are their Issues · win-acme/win-acme · GitHub ; remember to check Closed issues as well since you are presently using an older version.

You can see a list of issued certificates here crt.sh | scada-international.com

Seems like an access control list (ACL) and / or missing security identifiers (SIDs) issue.

I realize I haven't offered much help, so please wait for more knowledgeable Let's Encrypt community volunteers to assist.

3 Likes

I have no experience with either WACS or Windows Server. But I had similar errors with permissions on Windows 10.

After (new) installation of certbot and obtaining the certificates everything works fine, even renewing.

After the first reboot nothing works anymore. The account that Windows created in the background and that thus got permissions no longer exists.
(see https://github.com/certbot/certbot/issues/9165).

It is about permissions in the folders 'live' and 'archive' (and all subfolders).

  • The account under which the renewal is done needs read and write permissions.
  • The account running the IIS needs read permissions.

The easiest way to set up the permissions is to use inheritance (select 'This folder, subfolders and files' under 'Apply To').

I don't know if this is transferable to wacs, but the error messages (just 'Unavailable SID (Unavailable)') seem to indicate it.

3 Likes

I think you may be able to ignore the DCOM issue because windows sometimes tries certain operations one way, then another. Could be a problem but seems less likely.

Regarding scheduled renewals, I think you need to re-create the scheduled task - could be something for the Administrator account got changed somewhere (password reset?). Delete it and use the app to recreate it: https://www.win-acme.com/manual/automatic-renewal

Regarding the certificate "being lost" - this is where you really need to keep an eye on things. My (complete) guess would be it expired and got cleaned up by the app, but the newer replacement certs weren't binding properly. Get your renewal working again then monitor that it's actually updating the HTTPS binding in IIS regularly (Edit Bindings in IIS Manager, check the date on the selected cert).

If you ever see a problem where the wrong cert (but otherwise valid) cert is served this is usually a binding conflict where one binding has been setup as IP specific or non-SNI, so it takes priority over SNI bindings (which get selected by the server based on the hostname requested).

4 Likes

Thanks very much for all the replies!! I have tried to recreate the scheduler from WACS, I will see if that will solve the issue regarding certificates not getting updated :pray: :pray: :pray:

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.