IIS 8.5 on Windows Server 2012 R2
I used the ZeroSSL commands to manually create, and later update, my cert but since those instructions don’t include the email parameter (which I thought was going to be updated) I don’t get reminders. How can I set it up to send reminders without having to go through the whole creation or renewal process again? Currently I have reminders configured through SSLshopper but would like it to be tied to the actual cert generator.
I don’t believe there currently exists any functionality to add reminders retroactively.
As specified on GitHub - do-know/Crypt-LE: Crypt::LE - Let's Encrypt / Buypass / ZeroSSL and other ACME-servers client and library in Perl for obtaining free SSL certificates (inc. generating RSA/ECC keys and CSRs). HTTP/DNS verification is supported out of the box, EAB (External Account Binding) supported, easily extended with plugins, easily dockerized. and in the list of client parameters (also in the examples given if you run the client with --help), if you did not specify your email initially, you can update it later as follows:
le64.exe --key account.key --update-contacts "one@email.address, another@email.address"
I will reflect that on the usage page.
Can that param be included in the daily renewal process script?
Or would it create an unnecessary update on each renewal attempt?
This parameter has nothing to do with renewal as such - it updates the contacts for your account (so you should be able to receive reminders against the domains linked to that account). You can run that at any time but there is no need to do that more than once unless it's another account or you want to change contact data. There is no harm in running it as often is you like though (as far as I know, there's no rate limiting on that). Keep in mind that update-contacts is a separate command and if that parameter is used, renewal parameters will be ignored.
Thank you for that info. I was not aware of the github page for the actual code. I will manually run this once to add my contact info.
EDIT: ???
C:\ZE>le64.exe --help
ZeroSSL Crypt::LE client v0.23 C:\ZE>le64.exe --key account.key --update-contacts "webmaster@domain.com"
Unknown option: update-contacts
2017/10/05 14:20:18 Use --help to see the usage examples.EDIT EDIT: nvm I saw that the code has been updated and that command was added later. I will update my binary (hopefully the zerossl website has the latest compiled version.)
Indeed that option was added (among some other changes) in v0.24, so in v0.23 it would be missing:
0.24 02 July 2017
- Client can now be used to update contacts via 'update-contacts' parameter (multiple emails supported).
The releases page should always have the latest binaries and it is linked from ZeroSSL.com.
Do I need to use the --live option also? It didn’t specify.
C:\ZE>le64.exe --key account.key --update-contacts "webmaster@domain.com"
2017/10/05 14:34:45 [ ZeroSSL Crypt::LE client v0.27 started. ]
2017/10/05 14:34:45 Loading an account key from account.key
2017/10/05 14:34:48 Registering the account key
2017/10/05 14:34:48 The key is already registered. ID: nnnnnnn
2017/10/05 14:34:49 Contact details have been updated.
C:\ZE>EDIT: so I reran it with the --live option and it gave a different ID number so I assume now I will be getting TWO notifications…one from the test server and one from the live server?
Since the account key does not bear the information regarding whether it is test- or live-server related, indeed --live option would apply the changes to live server, while not having that option would apply the changes to test.
Yes. The staging environment sends emails when staging certificates are going to expire. The production environment sends emails when production certificates are going to expire.
The staging emails clearly say that they're from staging. You'll probably want to just ignore them, and focus on the production emails.
So how can I shut off the TEST emails so I can focus on reality?
For the moment you can just associate it with some spam-trap address. I will push a change with next release to be able to completely remove contacts.
Ok will do. This makes me think (out loud), I wonder if I could put on a black hat and use this in some kind of reflection attack, since the email addresses aren’t verified prior to being used. Hmmm…
…but could you also include a link or attachment…
Just a quick update - in v0.28 released today you can remove your contact details completely by specifying "none" for --update-contacts. So to do that on the test server, you will need to run the client like this:
le64.exe --key account.key --update-contacts "none"
Regarding to how Let's Encrypt notifications work in general, I believe misusing those to the point where they actually cause any significant harm would be rather unlikely. However, it might make sense indeed to add some form of verification, perhaps combined with the verification of the domains themselves.
For example, for the completely new account the contact details would only be set upon successful verification of the domain(s) and only if the email belongs to the verified domain(s). Further contact updates could then limit acceptance of email addresses to any of the domains successfully verified by the account previously.
I agree with the first part all email addresses should be verified.
But restricting emails to same domain may be too restrictive for those in that service industry.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.