Certificate renewal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:mickwebsite.com

I ran this command:

It produced this output:

My web server is (include version):iis 10

The operating system my web server runs on is (include version): windows 10

My hosting provider, if applicable, is:rogers

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): inetmgr

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

MY MESSAGE...
I am getting the following responses to my website. Is there a simple, point form for renewing? It appears to be complex for a first timer. I saw something about automatic renewal. I presume that I did not choose this earlier and I would like to choose it now.
Mick

This sites security certificate has expired
Your connection is not private
This server could not prove that it is mickwebsite.com/PlayStore_Spy/HelpFiles
Its security certificate expired 23 days ago [now Fri Aug 13]

...

There are literally a few dozen different applications for getting certificates through the ACME protocol and it depends on which application was used to get the certificate in the first place if it's able to easily renew a certificate. So without knowing which application was used to get the initial certificate, it's impossible to answer your question.

3 Likes

Thank you for the quick reply. I used Windows ACME Simple...
https://miketabor.com/how-to-install-a-lets-encrypt-ssl-cert-on-microsoft-iis/

It says there that Windows ACME Simple adds a task to the Windows Task Scheduler which will automatically renew the Let’s Encrypt.

I am wondering if the simplest approach for me might be to just go thru the process again as if for the first time. It says that they add a task to the Windows Task Scheduler which will automatically renew the Let’s Encrypt. I should keep track of that and ensure that it works for me.

What do you think?
:slightly_smiling_face:

Mick​

2 Likes

Is there a scheduled task?
If so, did it run or error out at last attempt?
Are you using the latest version of Windows ACME Simple?
Does the cert still exist in your Windows Certificate Store?

1 Like

Hi Rudy,

Sorry for the long wait to reply. The usual - too many projects on the go. To answer your questions...

I used
win-acme.v2.1.15.1008.x64.trimmed.zip, which was current back then. The current one now I believe is
win-acme.v2.1.18.1119.x64.trimmed.zip.

I ran c:\certmgr.msc. Under
Certificates-CurrentUser | intermediate certificate Authorities | Certificates
I found
Let's Encrypt Authority X3 Issued by DST Root CA X3 expiry 2021-03-17

Under Windows Administrative Tools | Task Scheduler I found
win-acme renew (acme-v02.api.letsencrypt.org)

Check for renewal of ACME certificates.

Heading line says History(Disabled)

Hope this helps,

In certmgr, check for Web Hosting certificate.

1 Like

I searched thru certmgr and did not find a reference to Web Hosting Certificate. The terminology looked familiar to me so I googled it and found this...
The key difference between Web Hosting store and Personal store is that Web Hosting store is designed to scale to higher numbers of certificates

I remember coming across this when I was setting up and specifically chose the Personal Store.
:slightly_smiling_face:

Can you see the current cert in the Personal Store?
Does Windows ACME Simple keep a log file?

1 Like

The Personal section of Certificate Manager is empty. "There are no items to show in this view".

A log file is being created. I have been viewing it with SpectX Desktop...
c:\inetpub\logs\LogFiles\w3svc2

Any more ideas? questions to share? I really do not know what to do. Unfortunately I do not understand the basics of the process well enough. I am still wondering if I should just go thru the process again as if for the first time. I used Windows ACME Simple...
https://miketabor.com/how-to-install-a-lets-encrypt-ssl-cert-on-microsoft-iis/
It says that they add a task to the Windows Task Scheduler which will automatically renew the Let’s Encrypt. I should keep track of that and ensure that it works for me.

If you can't get the support you need from that ACME client, you can review others.
Check out their support methods and such before committing to one.

1 Like

Don't believe the hype on that one, Microsoft have yet to publish any technical explanation of that and I think they just liked the name more than "My" (Personal) which is the other store where such certs are kept.

I make an alternative acme client for Windows called Certify The Web (https://certifytheweb.com) but I try not to jump in and promote it here too much unless there a compelling benefit to the thread. In your case I think you may benefit from using it (individuals can use the free community edition). You just fire it up, click New Certificate, select your IIS website (confirm which domains should be on the cert) then click Request Certificate. This orders the cert from Let's Encrypt then applies it to your IIS website on the same machine. There is a background service which then automatically maintains the certificate.

Note that this app (or any other certificate tool) should be installed on the machine running your website, not your personal desktop (unless that is the machine running the website).

Alternatively, you can continue to try to get win-acme working but I don't have the necessary knowledge of that app to help you get further with it.

I note that I can't connect to your website at all, so you need to make sure your web server is up and running when you try any of these tools - Let's Encrypt certificate domain validation via http requires that they can see your webserver from the public internet, then a special file is used on your website to prove you control your domain each time the certificate is renewed.

2 Likes

I need some time before I respond to this. Too many projects on the go, and this is an important one. Probably be a few more days.

OK, I tried Certify The Web. Below is the returned data with the embedded comment "(likely firewall problem)".

This is a new Gateway Modem. I examined the modem thru https://10.0.0.1, port forwarded 443 and passed the new external IP 99.242.126.196 to No-ip. I can access the website from my Play Store app and from my home computer [which is also the website host] so it is basically functional.

Running Certify the Web I selected "my_website_local", added *.mickwebsite.com, and clicked "Request certificate".

With the "likely firewall problem" message I checked the firewall information in the modem and found the security set to high. I changed it to medium, tried again, set to low, tried again - same result.

I ran wf.msc and saw all the standard firewall settings, unchanged, which I do not really understand anyway. But I tried changing "public network inbound connections" from blocked to allow - same result.

Well, I do not know what to try next. Any help appreciated :frowning:

2021-09-06 20:54:44.406 -04:00 [INF] ---- Beginning Request [My_Website_Local] ----
2021-09-06 20:54:44.420 -04:00 [INF] Certify/5.5.2.0 (Windows; Microsoft Windows NT 10.0.19042.0)
2021-09-06 20:54:44.429 -04:00 [INF] Beginning Certificate Request Process: My_Website_Local using ACME Provider:Certes
2021-09-06 20:54:44.429 -04:00 [INF] Requested identifiers to include on certificate: mickwebsite.com
2021-09-06 20:54:44.436 -04:00 [INF] Beginning certificate order for requested domains
2021-09-06 20:54:44.463 -04:00 [INF] BeginCertificateOrder: creating/retrieving order. Retries remaining:2
2021-09-06 20:54:45.337 -04:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/190696570/22565871100
2021-09-06 20:54:45.563 -04:00 [INF] Fetching Authorizations.
2021-09-06 20:54:46.085 -04:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/28662893790/jAlDng
2021-09-06 20:54:46.230 -04:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/28662893790/N2dSbg
2021-09-06 20:54:47.378 -04:00 [INF] Http Challenge Server process available.
2021-09-06 20:54:47.378 -04:00 [INF] Attempting Domain Validation: mickwebsite.com
2021-09-06 20:54:47.379 -04:00 [INF] Registering and Validating mickwebsite.com
2021-09-06 20:54:47.379 -04:00 [INF] Performing automated challenge responses (mickwebsite.com)
2021-09-06 20:54:47.399 -04:00 [INF] Preparing challenge response for the issuing Certificate Authority to check at: http://mickwebsite.com/.well-known/acme-challenge/BmyfwBsNT-ffUj1Vn-_biFN1gv7SefzwEajqw9rScnQ with content BmyfwBsNT-ffUj1Vn-_biFN1gv7SefzwEajqw9rScnQ.tGBJiXXteCFBneOtQNBGaKVj9PDhumd6YfboF92CoFQ
2021-09-06 20:54:47.399 -04:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued.
2021-09-06 20:54:47.418 -04:00 [INF] Using website path C:\Website_Local
2021-09-06 20:54:47.427 -04:00 [INF] Checking URL is accessible: http://mickwebsite.com/.well-known/acme-challenge/BmyfwBsNT-ffUj1Vn-_biFN1gv7SefzwEajqw9rScnQ [proxyAPI: True, timeout: 5000ms]
2021-09-06 20:54:53.139 -04:00 [INF] (proxy api) URL is not accessible. Result: [404] Resource not accessible, Timeout or Redirected
2021-09-06 20:54:53.139 -04:00 [INF] Checking URL is accessible: http://mickwebsite.com/.well-known/acme-challenge/BmyfwBsNT-ffUj1Vn-_biFN1gv7SefzwEajqw9rScnQ [proxyAPI: False, timeout: 5000ms]
2021-09-06 20:54:54.381 -04:00 [INF] (local check) URL is accessible. Check passed. HTTP OK
2021-09-06 20:54:54.382 -04:00 [INF] Requesting Validation: mickwebsite.com
2021-09-06 20:54:54.432 -04:00 [INF] Attempting Challenge Response Validation for Domain: mickwebsite.com
2021-09-06 20:54:54.434 -04:00 [INF] Registering and Validating mickwebsite.com
2021-09-06 20:54:54.435 -04:00 [INF] Checking automated challenge response for Domain: mickwebsite.com
2021-09-06 20:55:05.946 -04:00 [INF] Domain validation failed: mickwebsite.com
Fetching http://mickwebsite.com/.well-known/acme-challenge/BmyfwBsNT-ffUj1Vn-_biFN1gv7SefzwEajqw9rScnQ: Timeout during connect (likely firewall problem) BadRequest urn:ietf:params:acme:error:connection
2021-09-06 20:55:07.572 -04:00 [INF] Validation of the required challenges did not complete successfully. Domain validation failed: mickwebsite.com
Fetching http://mickwebsite.com/.well-known/acme-challenge/BmyfwBsNT-ffUj1Vn-_biFN1gv7SefzwEajqw9rScnQ: Timeout during connect (likely firewall problem) BadRequest urn:ietf:params:acme:error:connection
2021-09-06 20:55:07.573 -04:00 [INF] Validation of the required challenges did not complete successfully. Domain validation failed: mickwebsite.com
Fetching http://mickwebsite.com/.well-known/acme-challenge/BmyfwBsNT-ffUj1Vn-_biFN1gv7SefzwEajqw9rScnQ: Timeout during connect (likely firewall problem) BadRequest urn:ietf:params:acme:error:connection
2021-09-06 20:55:07.573 -04:00 [INF] Validation of the required challenges did not complete successfully. Domain validation failed: mickwebsite.com
Fetching http://mickwebsite.com/.well-known/acme-challenge/BmyfwBsNT-ffUj1Vn-_biFN1gv7SefzwEajqw9rScnQ: Timeout during connect (likely firewall problem) BadRequest urn:ietf:params:acme:error:connection

1 Like

That error is coming directly from Let's Encrypt's server, which was unable to reach mickwebsite.com while trying to verify an HTTP-01 challenge.

1 Like

The problem you are currently facing is exactly what @webprofusion warned you about:

1 Like

Access to your site must be from the Internet.
http://99.242.126.196 (or whatever your current IP is) must work before a cert can be issued via HTTP authentication.
You say you forwarded 443 - that is not part of this problem.
You need to forward port 80 (first. to get the cert).

2 Likes

Thank you to all who commented on my post. I just had to port forward #80 to get this result from Certify the Web...
Completed certificate request and automated bindings update (IIS)
:slight_smile:
A few questions...

  1. I had 4 false starts until I got it sorted out. Can I delete these from the Certify The Web display?

  2. I see the certificate expires after 90 days. Should I change the automatic renewal from 30 days to something closer to 90?

  3. I would like to be able to see info about the certificate and the update process, perhaps in Task Scheduler or in certmgr.msc or wherever
    What is the name of the certificate in certmgr.msc?
    I found this in the Win 10 Task Scheduler list. Is it the one for CertifyTheWeb?...
    win-acme renew (acme-v02.api.letsencrypt.org)

Thanx again,
Mick

1 Like

Certify uses a background service to renew certificates (not a scheduled task), it checks for pending renewals once every 60 minutes and renews any that apply.

You can modify the renewal frequency under Settings. By all means set this to 60 days, but don't use 90 (the app won't let you anyway) as that doesn't give you time to fix a problem if your renewal is failing for some reason. Personally I'd leave it at the default unless there is a special reason not to.

To force a renewal without waiting, just click 'Request Certificate' on your managed certificate. This also helps confirm all your settings are still working, if the renewal fails it will let you know (your existing certificate will keep working).

I'm not quite sure what you mean by false starts, but if you have duplicate managed certificates created in the Certify The Web UI, just click on the one you're not using and Delete. Deleting these doesn't delete any certificates from your machine, just the renewal job. If you see 'managed by win-acme' or 'managed by certbot' then these are just other renewals from other certificate managers that Certify can see, you can delete them using the respective software (e.g. win-acme etc), or just ignore them.

The win-acme renew job in Task Scheduler is for win-acme, that other piece of software you tried, it is not related to Certify.

Info about certificates can be seen using certlm.msc (certmgr.msc is current user certificates, certlm.msc is local machine certificates).

2 Likes

OK,

  1. I found the Certify SSL Manager Service in the services list.
  2. I'll leave the renewal frequency at the default.
  3. I had tried to run the Request Certificate 4 times while making a few changes hoping for success. So I had those 4 "false starts" in the list. To delete them I tried a right click looking for a context menu. I did not think to try single click. So they are gone now
  4. I had a minor trouble trying to use certim.msc, until I realized that was an L not an I, LM for local machine. certlm.msc Stupid fonts! I found it in the Personal section.

Looks like I am good to go with this now. Thanx again to everyone,
Mick :slight_smile:

3 Likes