Certificate renewed from command line but not for Scheduled Task

dpollard · March 1, 2018, 1:05am

Hi Everyone,
I have the following scheduled task set to run at 9:00am every morning on my SBS 2011 / Exchange Server.

C:\LetsEncrypt\letsencrypt.exe --renew --baseuri “https://acme-v01.api.letsencrypt.org/” --script C:\LetsEncrypt\InstallCertificate.cmd

It is set to “Run With Highest Privileges” in the task scheduler.

There are no errors just informational messages in the scheduler once per day and nothing is in the log files.
Nothing appears to happen and the certificate is not renewed. This is what I expect when the certificate has more than 30 days left before it expires.

If I run the same command (today) from an elevated command prompt my certificate is successfully renewed for 3 months and all happy messages in the LetsEncrypt logs. There was 27 days to go on the existing certificate when I ran the command manually. The same administrator user is set in the scheduled task as was logged in when running from the command line.

Any ideas why running this command from the task scheduler would stop it from working?

Thanks in advance
David

Rip · March 1, 2018, 5:34am

This information might get you going. The info is for Windows Server 2008 R2, but command line and task scheduler syntax hasn't changed significantly from SBS.

Task Scheduler quirks

dpollard · March 1, 2018, 6:00am

Hi Rip,
Thanks for the reply. I think you have created a link that points back to my post?
SBS 2011 is very similar to Server 2008. They just added some fancy wizards to confuse things

Rip · March 1, 2018, 6:07am

Shoot. I’ll try again.

https://social.technet.microsoft.com/Forums/Lync/en-US/44120d29-cb25-4478-999e-f1a4e9dfa304/command-runs-successfully-from-a-cmd-prompt-but-not-when-using-task-scheduler?forum=winservergen

Cheers!

dpollard · March 2, 2018, 2:34am

OK I think I have fixed the problem.
I’m not exactly sure what it was. I called a command script from the taks instead of the exe.
I added some start / finish echo command to the script and logged them to a file with >>
Then I could make sure things were completing as expected.

I then added the command that actually does the work in between the start and the finish in the script and included a >> logfile.log and 2>&1 to capture the standard error as well.

I had tried a few different users to run the script and that was part of the problem.
I found the script would not exit and the scheduler would say “Running” endlessly.

When I checked out what the log had now caught I found this line.
"Enter an email address (not public, used for renewal fail notices)"
So it is waiting for someone to enter an email address.

Google then pointed me to this post https://github.com/PKISharp/win-acme/issues/585

Which basically says you need to run the script as the same user that originally installed the program.
So I did that and now it appears to work.
At least it executes from the scheduler and says there is nothing to update.
I won’t know for sure if the certificates renewal works until the 60 days has passed they are ready.

But it’s looking good.
I hope this answer helps someone else.
Basic script debugging
David

system · April 1, 2018, 2:35am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.