Windows Server 2019
ZeroSSL Crypt::LE client v0.31
If I create a new subdomain as a separate website on our server, do I just add it’s full domain name to the existing comma-delimited “- -domains” parameter, force a manual renewal, and everything will work like magic? Existing cert covers “ourdomain.com” and “www.ourdomain.com”. Just checking this so I don’t break anything on our server, it uses 6 month browser lock headers…gulp.
Sorry, I wasn’t very clear. Yes there are multiple parts to all of this. I’ve automated the entire cert renewal process for our existing website, and only adding a new website on the same server. I am thinking it will be fine, just wanted to verify so I don’t make a mistake and bring down the entire website. Yes, when i actually put the new website up and use the IIS console to configure it, i will bind this one cert to the new site. My renewal batch files do all of that work automagically on renewal.
Because the CSR already stores the existing certificate domains it covers, my question is more specifically: how do I tell LE64.exe to add a new subdomain to my existing certificate? Do I have to generate a new secret key, etc, etc…?
Yeah, more work than I thought. Too bad I couldn’t find step-by-step instructions on the ZeroSSL website to more easily add a domain (or remove one) from an existing setup. I had to generate a new CSR with the new domain added to the others, generate a new key, and then figure out how to integrate it into my normal renewal process. Still trying to figure out how to manually run it “the first time” to generate a cert to begin with, since the LE website is down at this time.
EDIT: site is back up and now my testing is going through. Seems everything works except I still don’t have the DNS entry finalized so it dies at that step. Thanks for the comments everyone, they helped!
You just need to delete the CSR file you have previously created (and used for --csr parameter) and run the command as before, but with specifying additional domain along with old ones in --domains. That's all.
There was a big red “maintenance” bar at the top of this website and my test ert attempts wouldn’t connect, so I assumed that the live server and test server are different and during maintenance the test site was unavailable. Since everything is back up now the point is moot.
However, to the other question I had, I think i tried it without the -csr parameter and it complained that I neede to supply a csr so I simply went to the zerossl webpage and generated a new csr and a new key and am using those now. I think it will work as soon as I get my new dns entry added. I had tried the -generate-missing and -generate-only but those also complained. It was a few days ago so I don’t remember the exact error text. at any rate, after I created a new csr & key it should be fine.
So I finally got back to this. The problem I’m having is that I added a new domain for a different site so in the LE64.exe parameter list is a “–path” statement. That path is wrong for the new website I added. How do I do the renewal with a different path for a single certificate? This is probably the question I should have asked much sooner in the chain…sorry…
2019/04/16 16:11:53 [ ZeroSSL Crypt::LE client v0.31 started. ]
2019/04/16 16:11:53 Path to save challenge files into should be a writable directory for: \inetpub\cms.mydomain.com\cms\.well-known\acme-challenge --unlink --issue-code 100
The ACLs are set to [C] for the account the app pool is running under, plus Administrators has [F] and System has [F].
However, the actual problem in your case is the trailing backslash before closing quote - this is specific to Windows and this is why you see the rest of parameters along with the path in that error message. Fun fact - if you try to quote the path you posted right here, you will also notice that it is not displayed in the same way here either
That was it! Thank you, I would have spent days trying things… <3
Now to get our new MVC site to allow raw reads and not insert it’s oversight and mess things up (the challenge response is returning a “real” webpage HTML code due to the CMS…ugh…) Not anything to do with the cert at this point, so thanks again!
What is the content of the file the challenge writes to the acme-challenge directory? Is it just a text file without a file extension that contains a private key or something like that? Specifically, does it contain any HTML code? I can write to that directory and even view a webpage without logging in, however the challenge file keeps getting denied and has HTML in it.
Yes, just a text file with no extension and a specific "hash" inside it, which you can treat as a set of random readable characters.
You can create a simple file with no extension and with some text inside and try accessing it with your browser. Make sure though to "View source" the resulting page. If you see some HTML there instead of your text, that often means that server is not configured to serve the files with no extension and returns an error page instead. If you see some HTML along with your text, that might mean that the server or CMS are doing some sort of "framing" for example (such as "cloaked redirect" some hosters offer, displaying the content of some other server in the iframe).