Expiration Email and Windows Cert Store

Hi,

My homeserver is a windows 10 pc
In 2021, I tried to set up letscript using winacme. I don't remember how far I went and then abandon this project.
Three months ago, I set letsncrypt cert succesfully with certbot. Cert works like a charm

A week ago I receive a message about my cert expiring. After reading certbot.logs I realized that renewal was failing and I had to update my firewall to allow port 80. I did so and magic - next day renewal was succesful per the logs.

Today, I received another email today saying it expires in 7 days. Certbot logs from today still show no renewal needed.
However, when I go to windows certificates I do see a certificate that expires in a week and I do not see the certbot one expiring in Sep

Do I have a messed up setup for trying winacme first and certbot later?
Appreciate any comments.

1 Like

AFAIK certbot won't load certificates into the Windows Trusted Certificate Store.
If your web server only uses certificates from that root store, you will have to take additional steps to make that happen OR use another Windows ACME client that does load the certs into the store.

3 Likes
  • Are you using IIS or Apache (or nginx)?
  • If you browse to your website and click the certificate icon does it actually say it's going to expire soon?

If you used certbot but your webserver is actually IIS (not apache or nginx) then you will have converted the output of certbot to a PFX file, installed it, then updated the https binding in IIS. If you need to do all this then you may find it slightly simpler to use a windows-specific acme client.

Note also that even if your cert is renewing OK, if you previously had a slightly different set of names on the cert Let's Encrypt will still email you to tell you the old one is expiring (even if it's not relevant anymore because you replaced it with a slightly different cert).

3 Likes

Hi,

  • I use IIS. I converted to pfx for sure for webserver and ftp server. I also use for another app that takes pem. I believe in either case, I had the app go through the path and select the certbot cert.
  • I only have one domain name, not sure still about renewal email.

Thanks for the explanation. It sounds my options

  1. Re-try using winACME and discontinue certbot (don't remember why abandon this before)
  2. Stay with certbot and sync w Trusted Cert Store, will need to find a way to do this. Something running periodically (unless super easy no thanks)
  3. Stay with certbot and abandon Trusted Cert Store, I can just rely on certbot directory (maybe delete from win cert store from cleanliness)

Would lets encrypt let me use both winacme and certbot in parallel while I test?

UPDATE: I remember now why I didn't like winACME, the main program I want to use (Calibre), only takes pem files and does not read certs from the Trusted Cert Store directly. Yes, I can export but what happens on renewal? I don't want to be doing that all the time or risk running into issues. Unless somebody knows a solution for this (auto export from cert store to file)

1 Like

Another option is to try Certify The Web. It is a gui and many people find it easiest to use for Windows and IIS especially. webprofusion is the author and their own website support is focused on Windows. It is one of the acme clients on the Let's Encrypt list for Windows.

Certbot is ok on Windows but only when using Apache or nginx. Certbot was designed primarily for linux so when tight integration with Windows is required it can be difficult.

Personally that is my only suggestion as I don't know Windows IIS or Calibre well.

4 Likes

I think you can still achieve what you require using win-acme, there's bound to be a command line option to get pem export. I see you've logged an issue with them. You could instead use certbot and have a post-renewal "hook" script to convert to PFX and install that if required, but updating IIS bindings in your own script is just a little more subtly complicated.

As @MikeMcQ mentioned I develop Certify The Web which will produce PFX by default (and update IIS for you) but also has Deployment Tasks (see the Tasks tab) which include a Deploy to Generic Server option that lets you also write out pem files to wherever you need them and called whatever you need them to be. You can also add a task to restart your Calibre service if required after renewal.

Yes you can use several ACME clients for what amounts to the "same" certificate (different cert, same set of domains), obviously it's a good idea to settle on one for consistency but the thing to look out for using multiple clients would Let's Encrypt rate limits (e.g. 5 duplicate certs per week).

4 Likes

Hi,
Thanks for answering.
I was able to understand win acme a little better and set it up (option 1). You can do all I wanted: windows cert store/pfx + pem. I will keep certbot for a little bit and them discontinue
Win ACME is not user friendly for sure... If I have to do this again, I will probably complain as well.
I can see why @webprofusion developed Certify The Web :grinning:

4 Likes