Certificate renews but not installed on Exchange

Hi Everyone,
I’m using Windows 2008 R2 and Exchange Server 2010
I have my certificate automatically renewing 30 days before expiring but my automatic install is not working.

This is the command I’m using.
C:\LetsEncrypt\letsencrypt.exe --renew --baseuri “https://acme-v01.api.letsencrypt.org/” --script C:\LetsEncrypt\InstallCertificate.cmd >> start.log 2>&1

The log file captures this on the day the renewal occurs.
Note the warning towards the bottom.
If I later run the installcertificate.cmd from an elevated command prompt it works and the certificate is installed. Any ideas why the --script doesn’t run from the scheduled task?

[INFO] Let's Encrypt (Simple Windows ACME Client)
[INFO] version 1.9.4.37651 (RELEASE)
[INFO] Please report issues at https://github.com/Lone-Coder/letsencrypt-win-simple

[INFO] Renewal period: 60
[INFO] Certificate store: WebHosting
[INFO] ACME Server: https://acme-v01.api.letsencrypt.org/
[INFO] Checking renewals
[INFO] Checking [Manual] [2 bindings - mail.vjray.com.au, ... @ %SystemDrive%\inetpub\wwwroot] - renew after 27/04/2018
[INFO] Renewing certificate for [Manual] [2 bindings - mail.vjray.com.au, ... @ %SystemDrive%\inetpub\wwwroot] - renew after 27/04/2018
[INFO] Authorizing identifier mail.vjray.com.au using http-01 challenge
[INFO] Answer should now be browsable at http://mail.vjray.com.au/.well-known/acme-challenge/6Mxn0O3OYjOSgKhDW396nyd39yKEjXkOMZOgMPt3B1U
[INFO] Authorization result: valid
[INFO] Authorizing identifier campsie.vjray.com.au using http-01 challenge
[INFO] Answer should now be browsable at http://campsie.vjray.com.au/.well-known/acme-challenge/yRCiKr4W0LQ6-G4J1gWhZYmmGmEoJI0H4jh73m213rI
[INFO] Authorization result: valid
[INFO] Requesting certificate: mail.vjray.com.au
[INFO] Saving certificate to C:\Users\Administrator2\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\mail.vjray.com.au-crt.der
[INFO] Saving issuer certificate to C:\Users\Administrator2\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\ca-0A0141420000015385736A0B85ECA708-crt.pem
[INFO] Saving certificate to c:\Central_SSL\mail.vjray.com.au.pfx
[INFO] Saving certificate to c:\Central_SSL\campsie.vjray.com.au.pfx
[INFO] Updating new Central SSL Certificate
[WARN] Unable to configure server software.
[INFO] Renewal scheduled [Manual] [2 bindings - mail.vjray.com.au, ... @ %SystemDrive%\inetpub\wwwroot] - renew after 26/06/2018
[INFO] Checking [Manual] [1 binding - campsie.vjray.com.au @ %SystemDrive%\inetpub\wwwroot] - renew after 25/06/2018
[INFO] Renewal for certificate [Manual] [1 binding - campsie.vjray.com.au @ %SystemDrive%\inetpub\wwwroot] - renew after 25/06/2018 not scheduled

Is the task set to use an account that can run it successfully from the prompt?
I would try increasing the task privileges (max it out and get it to work - then lower it):

Yes it is the same administrator user in the task as I used to run from the command prompt.
I already have the “Run whether users is logged in or not” set
And run with the highest privileges is also ticked.

When I look back through the task history to the day certificate was renewed it all looks good.
This is the text from the “Action Completed” info message.
Task Scheduler successfully completed task “\LetsEncrypt” , instance “{6ed76918-59c7-4d04-9b2d-7c29e6835a28}” , action “C:\Windows\SYSTEM32\cmd.exe” with return code 0.

The [WARN] message appears to be coming from LetsEncrypt.exe
My InstallCertificate.cmd just calls a power shell script to install the certificate.
I’m at a loss as to why it works directly but not from a scheduled task unless “Run with the highest privileges” isn’t the same as an command prompt launched with “Run as administrator”
I can’t even think of anything else to try at this stage.
Thanks
David.

Please show the entire process - all the files that are used:
InstallCertificate.cmd
the powershell script
etc.

And the details of the [WARN] message.

The details of the [Warn] message are in my original post. Here it is again
[WARN] Unable to configure server software.
That is the only thing I can find that looks like an error message.

These are the command files that perform the update process.

Start.cmd

echo ---------------------------Start-------------------------------- >> start.log
date /t >> start.log
time /t >> start.log
C:\LetsEncrypt\letsencrypt.exe --renew --baseuri "https://acme-v01.api.letsencrypt.org/"  --script  C:\LetsEncrypt\InstallCertificate.cmd >> start.log 2>&1
date /t >> start.log
time /t >> start.log
echo ---------------------------Finish-------------------------------- >> start.log
exit >> start.log

InstallCertificate.cmd

REM 
REM Call the powershell script to import the generated certificate into Exchange
REM 
REM THis script (InstallCertificate.cmd) is called from the scheduled task Using the --script option

SET logfile=C:\Letsencrypt\Installcertificate.log
set logfile2=c:\Letsencrypt\LetsEncrypt.log

del %logfile2%

SET SUBJECT=Renew_Exchange_Certificate_for_vjray.com.au

echo -------------------------------------------------------------------------------------------------------- > "%logfile%"
echo -- Begin InstallCertificate.cmd -- >> "%logfile%"
date /t >> "%logfile%" && time /t >> "%logfile%"
echo -------------------------------------------------------------------------------------------------------- >> "%logfile%"

powershell.exe -PSConsoleFile "C:\Program Files\Microsoft\Exchange Server\V14\Bin\ExShell.Psc1" -command ". 'c:\letsencrypt\InstallCertificate.ps1'" >> %logfile% 2>&1

echo "-- Start Output from Power shell Script --" >> %logfile%
type %logfile2% >> %logfile% 2>&1
echo "-- End Output from Power shell Script --" >> %logfile%

echo -------------------------------------------------------------------------------------------------------- >> "%logfile%"
echo -- End InstallCertificate.cmd -- >> "%logfile%"
date /t >> "%logfile%" && time /t >> "%logfile%"
echo -------------------------------------------------------------------------------------------------------- >> "%logfile%"

REM echo -------------------------------------------------------------------------------------------------------- >> "%logfile%"
echo "Email the log file (See logmail.log for execution details)" >> "%logfile%"
REM echo Subject=%SUBJECT%
logmail.bat %logfile% %SUBJECT%

date /t >> "%logfile%" && time /t >> "%logfile%"
echo -- Finished -- >> "%logfile%"

InstallCertificate.ps1

$LogFile = "c:\LetsEncrypt\LetsEncrypt.log"
$startTime = Get-Date
Write-Output "InstallCertificate.ps1		BEGIN	  $startTime" | Out-File -Encoding ascii -append -filepath $LogFile

Write-Output "InstallCertificate.ps1		Stage 1:  Define Password" | Out-File -Encoding ascii -append -filepath $LogFile 
$PfxPassword = ConvertTo-SecureString "PasswordRemoved" -AsPlainText -Force 

Write-Output "InstallCertificate.ps1		Stage 2:  Import Certificate into Exchange"  | Out-File -Encoding ascii -append -filepath $LogFile
try
{
	Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path C:\Central_SSL\campsie.vjray.com.au.pfx -Encoding byte -ReadCount 0)) -Password:$PfxPassword 
	Echo "InstallCertificate.ps1		 		  Success" | Out-File -Encoding ascii -append -filepath $LogFile
}
Catch
{
	Echo "InstallCertificate.ps1		 		  *** Error ***" | Out-File -Encoding ascii -append -filepath $LogFile
	Echo $_.Messages | Out-File -Encoding ascii -append -filepath $LogFile
}

Write-Output "InstallCertificate.ps1		Stage 3:  Retrieve new certificate thumbprint" | Out-File -Encoding ascii -append -filepath $LogFile
$allThumbprint = Get-exchangecertificate -DomainName campsie.vjray.com.au | select -expand Thumbprint;
# $newThumbprint = $allThumbprint.substring(0,39)  This didn't work as $newThumbprint is an Array not a string.  Not sure why it seemed to work before
$newThumbprint = $allThumbprint[0]

write-output "InstallCertificate.ps1				  Thumbprint=$newThumbprint" | Out-File -Encoding ascii -append -filepath $LogFile

Write-Output "InstallCertificate.ps1		Stage 4:  Modify Exchange Certificate Assigned ServicesCertificate"  | Out-File -Encoding ascii -append -filepath $LogFile
try
{
	Enable-ExchangeCertificate -Thumbprint $newThumbprint -Services POP,IMAP,IIS,SMTP -Force;
	Echo "InstallCertificate.ps1		 		  Success" | Out-File -Encoding ascii -append -filepath $LogFile
}
Catch
{
	Echo "InstallCertificate.ps1		 		  *** Error ***" | Out-File -Encoding ascii -append -filepath $LogFile
	Echo $_.Messages | Out-File -Encoding ascii -append -filepath $LogFile
	
}

Write-Output "InstallCertificate.ps1		Stage 5:  List Exchange Certificate Assigned ServicesCertificate"  | Out-File -Encoding ascii -append -filepath $LogFile
# Get-ExchangeCertificate | Out-File -Encoding ascii -append -filepath $LogFile
get-exchangecertificate | Format-List CertificateDomains, NotBefore, NotAfter | Out-File -Encoding ascii -append -filepath $LogFile

$endTime = Get-Date
Write-Output "InstallCertificate.ps1		END		  $endTime" | Out-File -Encoding ascii -append -filepath $LogFile

Try adding:
echo current location = %cd% >> (into all your log files)
to show from where the actions are being performed.

Run it once from command prompt and review the locations used
Run it once from task scheduler and compare the locations
If they are NOT the same you may need to include a CD to the working location in your process.

Good Idea, I’ll have to wait for the renew cycle to come around again before I can test it.
I already have the Scheduled Task “Start In” option set to c:\LetsEncrypt

I’m just reviewing the log named LetsEncrypt.Log and it was updated when I ran the script from the cmd prompt however nothing at all from when it was run from the scheduled task.
So the InstallCertificate.cmd isn’t being run at all with the --script option.
It seems to be the call to that script that fails.

I guess I still need to know the meaning of [WARN] Unable to configure server software and what the possible causes are.
I could run InstallCertificate.cmd directly from start.cmd but I would only want to run it when there is a new certificate waiting to install. I’m not sure how I can detect that.

Hi Everyone,
Just so it’s clear this problem is not solved.
My current certificate is good until 27 July 18
So I can’t try the renewal process again until after 27 June 18.

I haven’t changed anything at this stage so I’m not expecting it to work when the time comes.
This command runs…
C:\LetsEncrypt\letsencrypt.exe --renew --baseuri “https://acme-v01.api.letsencrypt.org/” --script C:\LetsEncrypt\InstallCertificate.cmd >> start.log 2>&1

But the --script doesn’t do anything. If it started it would log something.

The only error I can find is…
[WARN] Unable to configure server software.

If this is a bug how can I escalate it?

Thanks
David

Does your client allow you to force a renewal sooner or set a different renewal threshold? 30 days is just Let's Encrypt's recommendation for default behavior, and it isn't a policy or technical requirement.

try adding:
--forcerenewal

Hi There, I am the client so I can do whatever I like
I had assumed renewing too often was frowned upon and I didn't want to get get banned or something.
I have seen that value in a configuration file so I should be able to find it again and change it.

However I can't really see the point if I don't know what the warning means and what I should do about it.
If I run it again now it will simply fail again and I will be no better off.

Does anyone know what conditions trigger this warning?
Thanks
David

There are rate limits, but almost none of them result in a permanent ban, only a temporary delay in the ability to issue further certificates.

If you stay within the rate limits, there should be no adverse consequences at all from renewing more often than recommended.

I don't know personally. However I believe your client is now this one

so you could try some of the documentation and support channels mentioned there.

My Current certificate expires on 27/07/2018 (DD/MM/YYYY)
This is the RenewalDays in my config file.

  <setting name="RenewalDays" serializeAs="String">
    <value>60</value>
  </setting>

I changed the 60 to a 10

When I ran my start.cmd from an elevated command prompt to rule out any scheduler permission problems this is the logged output.

---------------------------Start-------------------------------- 
Thu 10/05/2018 
09:44 AM
Current Folder C:\LetsEncrypt 

[INFO] Let's Encrypt (Simple Windows ACME Client)
[INFO] version 1.9.4.37651 (RELEASE)
[INFO] Please report issues at https://github.com/Lone-Coder/letsencrypt-win-simple

[INFO] Renewal period: 10
[INFO] Certificate store: WebHosting
[INFO] ACME Server: https://acme-v01.api.letsencrypt.org/
[INFO] Checking renewals
[INFO] Checking [Manual] [2 bindings - mail.vjray.com.au, ... @ %SystemDrive%\inetpub\wwwroot] - renew after 26/06/2018
[INFO] Renewal for certificate [Manual] [2 bindings - mail.vjray.com.au, ... @ %SystemDrive%\inetpub\wwwroot] - renew after 26/06/2018 not scheduled
[INFO] Checking [Manual] [1 binding - campsie.vjray.com.au @ %SystemDrive%\inetpub\wwwroot] - renew after 25/06/2018
[INFO] Renewal for certificate [Manual] [1 binding - campsie.vjray.com.au @ %SystemDrive%\inetpub\wwwroot] - renew after 25/06/2018 not scheduled
Thu 10/05/2018 
09:44 AM
---------------------------Finish-------------------------------- 

It appears that nothing happened because the renewal dates are actually set in the stored certificate?
So I changed the value back to 60

Next I included the --forcerenewal on the letsencrypt.exe command.
Here is the logged output.

---------------------------Start-------------------------------- 
Thu 10/05/2018 
09:59 AM
Current Folder C:\LetsEncrypt 

[INFO] Let's Encrypt (Simple Windows ACME Client)
[INFO] version 1.9.4.37651 (RELEASE)
[INFO] Please report issues at https://github.com/Lone-Coder/letsencrypt-win-simple

[INFO] Renewal period: 60
[INFO] Certificate store: WebHosting
[INFO] ACME Server: https://acme-v01.api.letsencrypt.org/
[INFO] Checking renewals
[INFO] Renewing certificate for [Manual] [2 bindings - mail.vjray.com.au, ... @ %SystemDrive%\inetpub\wwwroot] - renew after 26/06/2018
[INFO] Authorizing identifier mail.vjray.com.au using http-01 challenge
[INFO] Answer should now be browsable at http://mail.vjray.com.au/.well-known/acme-challenge/6Mxn0O3OYjOSgKhDW396nyd39yKEjXkOMZOgMPt3B1U
[INFO] Authorization result: valid
[INFO] Authorizing identifier campsie.vjray.com.au using http-01 challenge
[INFO] Answer should now be browsable at http://campsie.vjray.com.au/.well-known/acme-challenge/yRCiKr4W0LQ6-G4J1gWhZYmmGmEoJI0H4jh73m213rI
[INFO] Authorization result: valid
[INFO] Requesting certificate: mail.vjray.com.au
[INFO] Saving certificate to C:\Users\Administrator2\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\mail.vjray.com.au-crt.der
[INFO] Saving issuer certificate to C:\Users\Administrator2\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\ca-0A0141420000015385736A0B85ECA708-crt.pem
[INFO] Saving certificate to c:\Central_SSL\mail.vjray.com.au.pfx
[INFO] Saving certificate to c:\Central_SSL\campsie.vjray.com.au.pfx
[INFO] Updating new Central SSL Certificate
[WARN] Unable to configure server software.
[INFO] Renewal scheduled [Manual] [2 bindings - mail.vjray.com.au, ... @ %SystemDrive%\inetpub\wwwroot] - renew after 8/07/2018
[INFO] Renewing certificate for [Manual] [1 binding - campsie.vjray.com.au @ %SystemDrive%\inetpub\wwwroot] - renew after 25/06/2018
[INFO] Authorizing identifier campsie.vjray.com.au using http-01 challenge
[INFO] Answer should now be browsable at http://campsie.vjray.com.au/.well-known/acme-challenge/yRCiKr4W0LQ6-G4J1gWhZYmmGmEoJI0H4jh73m213rI
[INFO] Authorization result: valid
[INFO] Requesting certificate: campsie.vjray.com.au
[INFO] Saving certificate to C:\Users\Administrator2\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\campsie.vjray.com.au-crt.der
[INFO] Saving issuer certificate to C:\Users\Administrator2\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\ca-0A0141420000015385736A0B85ECA708-crt.pem
[INFO] Saving certificate to c:\Central_SSL\campsie.vjray.com.au.pfx
[INFO] Updating new Central SSL Certificate
[WARN] Unable to configure server software.
[INFO] Renewal scheduled [Manual] [1 binding - campsie.vjray.com.au @ %SystemDrive%\inetpub\wwwroot] - renew after 9/07/2018
Thu 10/05/2018 
10:00 AM
---------------------------Finish-------------------------------- 

I can see the two new “Renew After” dates for each of my domain names are now set to 08/07/2018 and 09/07/2018 (not sure why they are a day apart).

I still see the two warnings
[WARN] Unable to configure server software.

There is still no change to the Installcertificate.log so the installcertificate.cmd specified in the --script paramater has not executed.

So the --forcerenewal lets me retest the process and generates new certificates but I haven’t solved the underlying problem. When I ran the Installcertificate.cmd from a command prompt my web server is updated with the new certificate.

I’m still no closer to figuring out why the --script command doesn’t do anything.
Any ideas?

Thanks
David

@WouterTinus, are you now the right person to ask for help with this client? I’m sorry that I haven’t been keeping track of who is responsible for it. In any case, could you suggest where we can best send people who are having trouble with this family of Windows clients, or whom we can notify on this forum?

OK I was a bit confused about where all the pieces to make this work came from.
When I look here https://github.com/PKISharp/win-acme/releases
I see the latest stable release is 1.9.10.1
My Letsencrypt.exe properties show version 1.9.4.0

So there may be some helpful fixes in there for me.
This page also mentions a --verbose setting that may be helpful.

There is also a wiki and more support options for the client.
I misunderstood what you meant by client before. I thought you were referring to a customer I support not a windows client. So I’ll go and investigate that and post my solution back here.
Thanks for the point in the right direction.

It sounds like it may count back from the expiration rather than forward from the issued date.
Try increasing the number next time.

It counts forward from the issue date but it’s calculated and stored at the time of the issue, not dynamically on each run. In other words changing the period only starts to have effect after the next renewal.

To test if it’s working trigger the renewal manually from the menu or with --forcerenewal from the command line.

The --forcerenewal does allow me to test but it is still failing to run the --script command.
I have posted a new question here https://github.com/PKISharp/win-acme/issues/852
I hope that is appropriate. I think there are additional details in the log but nothing obvious to me anyway.
David

I received a response on the github ticket I created.
My understanding is that the --script is only executed for new certificate creations and not for renewals.
I don’t understand the technical reasons for this but I accept them
I’ll work around it by scheduling my install script to run once a week from a separate scheduled task.
I’ll just deal with any errors generated when there are no updated certificates to install.
So we can call this one solved.
Thanks for everyone’s comments and ideas.
David

Is there a different parameter that does execute on cert renewal?