Configuration Error, Every 60 Days

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ampexperts.com, basspig.com, adventuresinanimemusic.com, candlewoodmotionpictures.com, candlewoodvideography.com, mwhdvideo.com, mwprovideo.com, mwcomms.com

I ran this command: Commands run by scheduled task installed by Letsencrypt batch file.

It produced this output: every 60 days, web browers saying certificate invalid.

My web server is (include version): IIS 7.5

The operating system my web server runs on is (include version): Windows 7 Pro

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): N/A

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Not sure.

This is a continuation of my earlier topic, which is still not resolved.

Due to IIS 7.5 not being capable of handling multiple cert bindings, I need to change this configuration to use a SAN cert.

The original batch file installed two Windows Task Scheduler tasks to do this automatically. However, it is creating 8 certs for my 8 domains, and because IIS 7.5 can’t bind more than one, it scrambles things at random so my one secure domain ends up with the cert for another domain automatically on renewal day.

I’m trying to figure out how to configure this to make one SAN cert and have it auto renew.

When I run letsencrypt.exe, I get a list of 8 domains and the following prompt:

W: Generate a certificate via WebDav and install it manually.
F: Generate a certificate via FTP/ FTPS and install it manually.
M: Generate a certificate manually.
A: Get certificates for all hosts
Q: Quit
Which host do you want to get a certificate for:

Obviously, I have been selecting option A all this time, but that’s getting me into trouble because the bindings are random due to IIS 7.5 limitations.

I tried entering this command based upon advice given me in other thread (now closed):

letsencrypt–domains “adventuresinanimemusic.com,www.adventuresinanimemusic.com,” etc (can’t display the whole thing because this forum doesn’t allow that many links in a post.)

… however, I’m getting an invalid command.

I need to to finally fix this properly. I was out of the country til now, and five days ago, the certs renewed, knocking my main website offline due to invalid cert on April 11, and nothing I could do until I returned physically to the US.

Part of the problem is that Letsencrypt.exe sets up Windows Tasks that do things a certain way and not the way to make a SAN cert every 60 days.

I’ve looked at other clients, but they mostly require UNIX. So options limited on IIS 7.5.

Two months ago, I gave the command to make only one certificate, but apparently that did not update the Windows Tasks and I continue to get multiple certs that result in scrambled bindings.

If anyone can walk me through the right command line, if it’s even possible, to make a SAN cert with letsencrypt.exe, it would help enormously. Otherwise, I keep having this problem every 60 days.

2

The real problem here is actually IIS 7.5 [which does not support SNI].
That said, you can also run both apache and nginx on windows [or on any other (nearby) system].
So the problem can be easily “resolved” (even within the same system) by using a proxy that supports SNI and integrates easier with letsencrypt.

[or you can also resolve it by upgrading to IIS 8]

3

Hi @Basspig

first, check the documentation if there is a command to create a certificate with a lot of domain names.

Use the test system (hope, that client supports it) to check that.

If this isn't possible:

Isn't there another client you can use?

4

The problem is that my server is running Windows 7. I don’t know of any way to upgrade IIS to version 8.

I’m testing NGINX, but only for use as a streaming server. There is little documentation and it seems to have no UI, so I haven’t been able to do much with it other than use the scripts that were recommended for setting up a streaming server.

Presently, I tried to run the Simple configuration and ask for just one cert for the time being, but options only exist for WebDAV, FTP, all sites on the server and that’s about it. I don’t know enough about it to try the manual option. This integrates with Windows Scheduler, to keep the certs renewed every 60 days.

I only recently upgraded this server from Win XP and IIS 5.x. I don’t want to get into the cost of Windows Server 2016 with it’s monthly subscription fees. If I could figure out how to request a SAN cert and automate renewal through Task Scheduler, that would be all I need.

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.