How to find out when and how Let's Encrypt issuance was configured?

As it turns out it was buried much, much deeper than that.

Yes, that is correct. Due to an abundance of stubbornness and an indomitable will I have "solved" it.

By "solved" I mean I got very, very lucky. Truly it was the nudges and prompts from the giants here upon which I am blessed to stand on their shoulders.

Giving it one last effort before walking away and setting up a completely new system using CertBot, I launched one final search. Rather than by name, I searched by time. If we did do the deed, there HAS to be a record. I was painstakingly combing through the search results, glassy-eyed and ready to give up when the anomaly popped up - a folder that I had not seen before, nor had it popped up on the searches based on the names of the ACME clients.

WACS.

What is a WACS? One waaaaaaaay too long Google-Fu session trying to get around the plethora of results for the Women's Army Corps of WWII, and all was revealed : Win. Acme. Also known by the moniker of WACS. Son of a...

I fired it up, and I found there is a log system of sorts. There it was - a perfect match of all the times the system jumped the tracks and successfully ran. It was a semi-automated system, in that it was screaming for help to an e-mail address that no longer existed and after many tries, restarted itself and started working again. It is why nothing appeared to match up to server restarts, et cetera.

For lack of a standardized naming convention, all was almost lost. That was why searching for Win Acme or Win-Acme netted nothing. There still isn't anything in the scheduler. There is no trace of anything at all if you do not know the keyword, so to speak. So someone here - in 2019 - set this ball rolling and good, bad or indifferent left behind zero documentation on it.

To paraphrase Adam Savage : the difference between science and screwing around is writin' it down. I will say it in the parlance of my dear ol' Comp Sci professor : Document. Everything. Way too many hours were needlessly wasted here because someone didn't take the time to document the trivial.

Thank you once again to one and all for helping me see the forest for the trees here. I do not have a clue to whom I should give the credit, so I will leave it to the collective wisdom of the brilliant people here. I would be more than happy to credit whomever you shove to the fore should they be bash-ful.

I am humbled, and still in awe of the sheer talent of everyone that chipped in so sincerely -

Thank you.

Glad you solved it, maybe look at upgrading that to the latest version as well.

Sorry I could have tried to include it's pseudonyms earlier: letsencrypt-win-simple/LEWS, win-acme/Windows ACME Simple (WACS). It didn't create the C:\ProgramData\win-acme folder or you just didn't see it? C:\ProgramData is hidden in windows explorer by default but it's still there.

I'm so glad you figured it out!

It was buried in a sub-folder of a sub-folder of a sub-folder in the non-standard-named wordpress installation, so about as non-standard as it gets. The object was security through obscurity, I guess? Dunno. With zero documentation I can only guess at the motivations here.

I guess one strategy that I might have thought of sooner is to search your whole disk for the string https://acme-v02.api.letsencrypt.org/ (e.g. with grep -r on Unix). This string should appear literally in every ACME client, regardless of language of implementation, unless it's in a file that's stored compressed on disk (which I don't think is that likely in this context).

(I'm not sure whether Windows clients with native UTF-16 strings would insert NUL bytes in between the characters of the URL, but maybe I should download a couple and check!)

Edit: to deal with more roundabout URL query libraries, it might be more thorough to search just for acme-v02.api.letsencrypt.org rather than https://acme-v02.api.letsencrypt.org/.

Glad to see you solved the mystery.

However I am curious that there should be a scheduled task that matches cert issuance time. Searching for event log probably gives you some hint.

See, that was the thing. There was no trace of it to be found in the logs, scheduler - nothing.

Unless the previous staff did something that once again resorted to a non-standard naming convention, then who knows? It could be staring me right in the face and I wouldn't know it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.