First renewal fails


#1

My domain is: managedstorage.douganconsulting.com

I ran this command: .\ACMESharp.ps1

It produced this output:

Id : 0d0797a0-5291-4444-90a0-63616e717c66
Alias :
Label :
Memo :
BaseService : LetsEncrypt
BaseUri : https://acme-v01.api.letsencrypt.org/
Signer :
PkiTool :
GetInitialDirectory : True
UseRelativeInitialDirectory : True
ServerDirectory : {[init, /directory], [directory, /directory], [new-reg, /acme/new-reg], [recover-reg, /recover-reg]…}
Proxy :
ProviderProfiles :
InstallerProfiles :
Registrations : {56f1006c-d5de-4d14-ab27-56af66c7d82d}
Identifiers : {00c64ccc-4d2d-4f50-9a50-f958e8384b98}
Certificates : {ff6a7ce1-ee2d-4afc-b549-add960bd717e, 97f4a8a0-b7eb-4062-add1-38b7dfb5fd9a}
IssuerCertificates : {[0A0141420000015385736A0B85ECA708, ACMESharp.Vault.Model.IssuerCertificateInfo]}

New-AcmeIdentifier : An item with the same key has already been added.
At C:\Users\Administrator.DCG\Documents\ACMESharp.ps1:37 char:5

  • New-AcmeIdentifier -Dns $domain -Alias $alias
    
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : NotSpecified: (:slight_smile: [New-ACMEIdentifier], ArgumentException
    • FullyQualifiedErrorId : System.ArgumentException,ACMESharp.POSH.NewIdentifier

Complete-ACMEChallenge : no challenge found matching requested type
Parameter name: challengeType
At C:\Users\Administrator.DCG\Documents\ACMESharp.ps1:40 char:5

  • Complete-ACMEChallenge $alias -ChallengeType http-01 -Handler iis ...
    
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : NotSpecified: (:slight_smile: [Complete-ACMEChallenge], ArgumentOutOfRangeException
    • FullyQualifiedErrorId : System.ArgumentOutOfRangeException,ACMESharp.POSH.CompleteChallenge

Submit-ACMEChallenge : no challenge found matching requested type
At C:\Users\Administrator.DCG\Documents\ACMESharp.ps1:43 char:5

  • Submit-ACMEChallenge $alias -ChallengeType http-01
    
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : NotSpecified: (:slight_smile: [Submit-ACMEChallenge], ArgumentException
    • FullyQualifiedErrorId : System.ArgumentException,ACMESharp.POSH.SubmitChallenge

Update-ACMEIdentifier : no challenge found matching requested type
Parameter name: type
At C:\Users\Administrator.DCG\Documents\ACMESharp.ps1:46 char:5

  • Update-ACMEIdentifier $alias -ChallengeType http-01
    
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : NotSpecified: (:slight_smile: [Update-ACMEIdentifier], ArgumentOutOfRangeException
    • FullyQualifiedErrorId : System.ArgumentOutOfRangeException,ACMESharp.POSH.UpdateIdentifier

Update-ACMEIdentifier : no challenge found matching requested type
Parameter name: type
At C:\Users\Administrator.DCG\Documents\ACMESharp.ps1:47 char:5

  • Update-ACMEIdentifier $alias -ChallengeType http-01
    
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : NotSpecified: (:slight_smile: [Update-ACMEIdentifier], ArgumentOutOfRangeException
    • FullyQualifiedErrorId : System.ArgumentOutOfRangeException,ACMESharp.POSH.UpdateIdentifier

Id : 123ff9fe-c34c-49e0-b50c-80cf46c29cf7
Alias : managedstorage2018-10-28–10-07
Label :
Memo :
IdentifierRef : 00c64ccc-4d2d-4f50-9a50-f958e8384b98
IdentifierDns : managedstorage.douganconsulting.com
AlternativeIdentifierDns :
KeyPemFile :
CsrPemFile :
GenerateDetailsFile : 123ff9fe-c34c-49e0-b50c-80cf46c29cf7-gen.json
CertificateRequest :
CrtPemFile :
CrtDerFile :
IssuerSerialNumber :
SerialNumber :
Thumbprint :
Signature :
SignatureAlgorithm :
RevokedAt :

Submit-ACMECertificate : Error creating new cert :: authorizations for these names not found or expired: managedstorage.douganconsulting.com
At C:\Users\Administrator.DCG\Documents\ACMESharp.ps1:54 char:1

  • Submit-ACMECertificate $certname
  •   + CategoryInfo          : PermissionDenied: (ACMESharp.Vault.Model.CertificateInfo:CertificateInfo) [Submit-ACMECertificate], AcmeWebException
      + FullyQualifiedErrorId : urn:acme:error:unauthorized (403),ACMESharp.POSH.SubmitCertificate
    

update-AcmeCertificate : Certificate has not been submitted yet; cannot update status
At C:\Users\Administrator.DCG\Documents\ACMESharp.ps1:57 char:1

  • update-AcmeCertificate $certname
  •   + CategoryInfo          : NotSpecified: (:) [Update-ACMECertificate], Exception
      + FullyQualifiedErrorId : System.Exception,ACMESharp.POSH.UpdateCertificate
    
    

Press Enter to continue…:
Get-ACMECertificate : Cannot export PKCS12; private hasn’t been imported or generated
At C:\Users\Administrator.DCG\Documents\ACMESharp.ps1:62 char:1

  • Get-ACMECertificate $certname -ExportPkcs12 $pfxfile
  •   + CategoryInfo          : NotSpecified: (:) [Get-ACMECertificate], InvalidOperationException
      + FullyQualifiedErrorId : System.InvalidOperationException,ACMESharp.POSH.GetCertificate
    
    
    

My web server is (include version): IIS version 10

The operating system my web server runs on is (include version): Server 2016

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

I created the cert and installed it a couple of months ago. I got an email from your bot that it is coming due for renewal, so I tried to run the ACME Sharp script with the results above.

Thanks for any assistance you can provide.

Des


#2

Can you show the contents of file: ACMESharp.ps1
[I’m interested in seeing how/where those variables are defined.]


#3

Thanks for replying.

I based it on this post on Rick Strahl’s site.

The script is as follows:

#install-Module -Name ACMESharp

import-module ACMESharp

$email = "mailto:des@douganconsulting.com"
$domain = “managedstorage.douganconsulting.com
$alias = “managedstorage”
$iissitename = “managedstorage.douganconsulting.com
certname = "managedstorage(get-date -format yyyy-MM-dd–HH-mm)"
$pfxfile = “c:\Admin\Certs$certname.pfx”

$initializevault = $FALSE
$createregistration = $FALSE
$createalias = $TRUE

Change to the Vault folder

cd C:\ProgramData\ACMESharp\sysVault

First time on the machine - intiialize vault

if($initializevault)
{
Initialize-ACMEVault
}

Get-ACMEVault

if($createregistration)
{
# Set up new ‘account’ tied to an email address
New-AcmeRegistration -Contacts “$email” -AcceptTos
}

if($createalias)
{

# Associate a new site 
New-AcmeIdentifier -Dns $domain -Alias $alias

# Prove the site exists and is accessible
Complete-ACMEChallenge $alias -ChallengeType http-01 -Handler iis -HandlerParameters @{WebSiteRef="$iissitename"}

# Validate site
Submit-ACMEChallenge $alias -ChallengeType http-01

# check until valid or invalid - pending
Update-ACMEIdentifier $alias -ChallengeType http-01
Update-ACMEIdentifier $alias -ChallengeType http-01 

}

Generate a certificate

New-ACMECertificate ${alias} -Generate -Alias $certname

#Submit the certificate
Submit-ACMECertificate $certname

Hit until values are filled in

update-AcmeCertificate $certname

pause

Export Certificate to PFX file

Get-ACMECertificate $certname -ExportPkcs12 $pfxfile

Thanks,

Des


#4

I think the $alias may need to be an FQDN.


#5

Shouldn’t that be:
$certname


#6

Thanks for your replies. To answer the second one - the script does have $certname - it was lost when copy/pasting.

I tried changing $alias as you suggested, and still get an issue:


PS C:\Users\Administrator.DCG\Documents> .\ACMESharp.ps1

Id : 0d0797a0-5291-4444-90a0-63616e717c66
Alias :
Label :
Memo :
BaseService : LetsEncrypt
BaseUri : https://acme-v01.api.letsencrypt.org/
Signer :
PkiTool :
GetInitialDirectory : True
UseRelativeInitialDirectory : True
ServerDirectory : {[init, /directory], [directory, /directory], [new-reg, /acme/new-reg], [recover-reg, /recover-reg]…}
Proxy :
ProviderProfiles :
InstallerProfiles :
Registrations : {56f1006c-d5de-4d14-ab27-56af66c7d82d}
Identifiers : {00c64ccc-4d2d-4f50-9a50-f958e8384b98}
Certificates : {ff6a7ce1-ee2d-4afc-b549-add960bd717e, 97f4a8a0-b7eb-4062-add1-38b7dfb5fd9a, 123ff9fe-c34c-49e0-b50c-80cf46c29cf7,
aa7fd889-b28a-4c2f-b5b4-0ee6320b0888}
IssuerCertificates : {[0A0141420000015385736A0B85ECA708, ACMESharp.Vault.Model.IssuerCertificateInfo]}

IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier : managedstorage.douganconsulting.com
Uri : https://acme-v01.api.letsencrypt.org/acme/authz/Q9E5MRkwHpuXiqsd5Vizu_NmliAf44ObD87u1DuBsD4
Status : pending
Expires : 2018-11-19 1:44:33 AM
Challenges : {, , , }
Combinations : {0, 1, 2, 3}

Complete-ACMEChallenge : unresolved site for given site reference
At C:\Users\Administrator.DCG\Documents\ACMESharp.ps1:40 char:5

  • Complete-ACMEChallenge $alias -ChallengeType http-01 -Handler iis ...
    
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : NotSpecified: (:slight_smile: [Complete-ACMEChallenge], InvalidOperationException
    • FullyQualifiedErrorId : System.InvalidOperationException,ACMESharp.POSH.CompleteChallenge

Submit-ACMEChallenge : challenge has not been decoded
At C:\Users\Administrator.DCG\Documents\ACMESharp.ps1:43 char:5

  • Submit-ACMEChallenge $alias -ChallengeType http-01
    
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : NotSpecified: (:slight_smile: [Submit-ACMEChallenge], InvalidOperationException
    • FullyQualifiedErrorId : System.InvalidOperationException,ACMESharp.POSH.SubmitChallenge

IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier : managedstorage.douganconsulting.com
Uri : https://acme-v01.api.letsencrypt.org/acme/authz/Q9E5MRkwHpuXiqsd5Vizu_NmliAf44ObD87u1DuBsD4
Status : pending
Expires : 2018-11-19 1:44:33 AM
Challenges : {, , , }
Combinations : {0, 1, 2, 3}

IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier : managedstorage.douganconsulting.com
Uri : https://acme-v01.api.letsencrypt.org/acme/authz/Q9E5MRkwHpuXiqsd5Vizu_NmliAf44ObD87u1DuBsD4
Status : pending
Expires : 2018-11-19 1:44:33 AM
Challenges : {, , , }
Combinations : {0, 1, 2, 3}

Id : abdb188f-0733-45f4-a8ce-0d58c053ac3c
Alias : managedstorage2018-11-11–17-44
Label :
Memo :
IdentifierRef : c09c996b-a62a-4e9f-9641-97d90df18cf8
IdentifierDns : managedstorage.douganconsulting.com
AlternativeIdentifierDns :
KeyPemFile :
CsrPemFile :
GenerateDetailsFile : abdb188f-0733-45f4-a8ce-0d58c053ac3c-gen.json
CertificateRequest :
CrtPemFile :
CrtDerFile :
IssuerSerialNumber :
SerialNumber :
Thumbprint :
Signature :
SignatureAlgorithm :
RevokedAt :

Submit-ACMECertificate : Error creating new cert :: authorizations for these names not found or expired: managedstorage.douganconsulting.com
At C:\Users\Administrator.DCG\Documents\ACMESharp.ps1:54 char:1

  • Submit-ACMECertificate $certname
  •   + CategoryInfo          : PermissionDenied: (ACMESharp.Vault.Model.CertificateInfo:CertificateInfo) [Submit-ACMECertificate], AcmeWebException
      + FullyQualifiedErrorId : urn:acme:error:unauthorized (403),ACMESharp.POSH.SubmitCertificate
    

update-AcmeCertificate : Certificate has not been submitted yet; cannot update status
At C:\Users\Administrator.DCG\Documents\ACMESharp.ps1:57 char:1

  • update-AcmeCertificate $certname
  •   + CategoryInfo          : NotSpecified: (:) [Update-ACMECertificate], Exception
      + FullyQualifiedErrorId : System.Exception,ACMESharp.POSH.UpdateCertificate
    
    

Press Enter to continue…:
Get-ACMECertificate : Cannot export PKCS12; private hasn’t been imported or generated
At C:\Users\Administrator.DCG\Documents\ACMESharp.ps1:62 char:1

  • Get-ACMECertificate $certname -ExportPkcs12 $pfxfile
  •   + CategoryInfo          : NotSpecified: (:) [Get-ACMECertificate], InvalidOperationException
      + FullyQualifiedErrorId : System.InvalidOperationException,ACMESharp.POSH.GetCertificate
    
    

Any feedback is appreciated - it expires in a few days, and I can’t see why it is not working.

Des


#7

What is the FQDN used?
And you may want to modify the post title to include “ACMESharp”


#8

managedstorage.douganconsulting.com

Thanks,

Des


#9

Using PS do (and show output of):
set-location cert:
cd .\\LocalMachine\My
gci | fl Thumbprint,Name,FriendlyName,Subject


#10

PS C:\ProgramData\ACMESharp\sysVault> certutil -dump

CertUtil: -dump command completed successfully.

PS C:\ProgramData\ACMESharp\sysVault>

It doesn’t return anything.

Many thanks,

Des


#11

Using PS do (and show output of):
set-location cert:
cd .\\LocalMachine\My
gci | fl Thumbprint,Name,FriendlyName,Subject


#12

Rudy,

PS Cert:\LocalMachine\My> gci | fl Thumbprint,Name,FriendlyName,Subject

Thumbprint : 241D5CDDB6780F75071CEB710DAA5ED67946B80C

FriendlyName : CN=managedstorage.douganconsulting.com

Thanks,

Des


#13

Try changing this to $FALSE and rerun.

Otherwise, have you manually added, or deleted, any certs?
Is the current cert still bound to the site in IIS?

[Again, this may dray attention from those who may know more on the subject:]

If you can’t change the title maybe opening a new post with a more descriptive title would be best.


#14

Cert is still active - I created it originally using ACMESharp.

The change had no effect:

PS C:\Users\Administrator.DCG\Documents> .\ACMESharp.ps1

Id : 0d0797a0-5291-4444-90a0-63616e717c66

Alias :

Label :

Memo :

BaseService : LetsEncrypt

BaseUri : https://acme-v01.api.letsencrypt.org/

Signer :

PkiTool :

GetInitialDirectory : True

UseRelativeInitialDirectory : True

ServerDirectory : {[init, /directory], [directory, /directory], [new-reg, /acme/new-reg], [recover-reg, /recover-reg]…}

Proxy :

ProviderProfiles :

InstallerProfiles :

Registrations : {56f1006c-d5de-4d14-ab27-56af66c7d82d}

Identifiers : {00c64ccc-4d2d-4f50-9a50-f958e8384b98, c09c996b-a62a-4e9f-9641-97d90df18cf8}

Certificates : {ff6a7ce1-ee2d-4afc-b549-add960bd717e, 97f4a8a0-b7eb-4062-add1-38b7dfb5fd9a, 123ff9fe-c34c-49e0-b50c-80cf46c29cf7,

                          aa7fd889-b28a-4c2f-b5b4-0ee6320b0888...}

IssuerCertificates : {[0A0141420000015385736A0B85ECA708, ACMESharp.Vault.Model.IssuerCertificateInfo]}

Id : 37eab4c2-dc00-4f37-bfcc-ec3f6280bd55

Alias : managedstorage2018-11-12–11-04

Label :

Memo :

IdentifierRef : 00c64ccc-4d2d-4f50-9a50-f958e8384b98

IdentifierDns : managedstorage.douganconsulting.com

AlternativeIdentifierDns :

KeyPemFile :

CsrPemFile :

GenerateDetailsFile : 37eab4c2-dc00-4f37-bfcc-ec3f6280bd55-gen.json

CertificateRequest :

CrtPemFile :

CrtDerFile :

IssuerSerialNumber :

SerialNumber :

Thumbprint :

Signature :

SignatureAlgorithm :

RevokedAt :

Submit-ACMECertificate : Error creating new cert :: authorizations for these names not found or expired: managedstorage.douganconsulting.com

At C:\Users\Administrator.DCG\Documents\ACMESharp.ps1:54 char:1

  • Submit-ACMECertificate $certname

  • 
      + CategoryInfo : PermissionDenied: (ACMESharp.Vault.Model.CertificateInfo:CertificateInfo) [Submit-ACMECertificate], AcmeWebException
    
      + FullyQualifiedErrorId : urn:acme:error:unauthorized (403),ACMESharp.POSH.SubmitCertificate
    
    

update-AcmeCertificate : Certificate has not been submitted yet; cannot update status

At C:\Users\Administrator.DCG\Documents\ACMESharp.ps1:57 char:1

  • update-AcmeCertificate $certname

  • 
      + CategoryInfo : NotSpecified: (:) [Update-ACMECertificate], Exception
    
      + FullyQualifiedErrorId : System.Exception,ACMESharp.POSH.UpdateCertificate
    
    

Press Enter to continue…:

Get-ACMECertificate : Cannot export PKCS12; private hasn’t been imported or generated

At C:\Users\Administrator.DCG\Documents\ACMESharp.ps1:62 char:1

  • Get-ACMECertificate $certname -ExportPkcs12 $pfxfile

  • 
      + CategoryInfo : NotSpecified: (:) [Get-ACMECertificate], InvalidOperationException
    
      + FullyQualifiedErrorId : System.InvalidOperationException,ACMESharp.POSH.GetCertificate
    
    

des


#15

I’m sorry I can’t see why this is failing…
I don’t use ACMEsharp :frowning:
Let me ping some others into this post:
ping @Osiris
ping @JuergenAuer
ping @mnordhoff