Its now 2 months down the road and task scheduled task to auto renew is failing me.
Already used 3 attempots of 5 allows todo cert renewal and want to use my last 2 attempt for the week in constructive way.
First of all, I never heard from @NetoMeter about “updated v2 script via a PM” so hope this v2 update is now available and I can use for exch2016 cert renewal.
Secondly, the log below is an attempt to renew the cert and wonder where am going wrong, I understand somewaht the issue, but need advise on getting this right this time round before attampting another request since I only have 2 attempts left.
Also like to thanks @ahaw021 on previous comment on other forum post and hope he can shed some light on this error log too as well as others.
Thanks for your support.
Windows PowerShell
Copyright (C) 2014 Microsoft Corporation. All rights reserved.
PS C:\Users\Shelob> cd C:\Tools
PS C:\Tools> .\ACME-Exchange.ps1
Creating a new identifier for mail.mydomain.com ...
New-ACMEIdentifier : An item with the same key has already been added.
At C:\Tools\ACME-Exchange.ps1:11 char:2
+ New-ACMEIdentifier -Dns $FQDN -Alias $FQDN | select status, Expires
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-ACMEIdentifier], ArgumentException
+ FullyQualifiedErrorId : System.ArgumentException,ACMESharp.POSH.NewIdentifier
Completing the challenge for the new identifier for mail.mydomain.com ...
Submitting the new identifier for mail.mydomain.com ...
Submit-ACMEChallenge : no challenge found matching requested type
At C:\Tools\ACME-Exchange.ps1:17 char:2
+ Submit-ACMEChallenge $FQDN -ChallengeType http-01 | select Identifier, status, ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Submit-ACMEChallenge], ArgumentException
+ FullyQualifiedErrorId : System.ArgumentException,ACMESharp.POSH.SubmitChallenge
Update-ACMEIdentifier : no challenge found matching requested type
Parameter name: type
At C:\Tools\ACME-Exchange.ps1:21 char:19
+ $auth = ((Update-ACMEIdentifier $FQDN -ChallengeType http-01).Challenges ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Update-ACMEIdentifier], ArgumentOutOfRangeException
+ FullyQualifiedErrorId : System.ArgumentOutOfRangeException,ACMESharp.POSH.UpdateIdentifier
Waiting for a valid authorization ... Current status is
Update-ACMEIdentifier : no challenge found matching requested type
Parameter name: type
At C:\Tools\ACME-Exchange.ps1:21 char:19
+ $auth = ((Update-ACMEIdentifier $FQDN -ChallengeType http-01).Challenges ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Update-ACMEIdentifier], ArgumentOutOfRangeException
+ FullyQualifiedErrorId : System.ArgumentOutOfRangeException,ACMESharp.POSH.UpdateIdentifier
You might be confusing two different rate limits. You can obtain 5 identical certificates per week ("Duplicate Certificate" rate limit). But you can make 5 failed attempts to obtain certificates per hour, not per week ("Failed Validation" rate limit). Since you didn't actually obtain your certificate, you have 2 more attempts available this hour, not this week.
OK I am getting somewhere and like to get LE take on this…
I am getting expiration notices to the admin mailbox which is great, but it is showing wrong expiration, its out by 5-days.
[Your certificate (or certificates) for the names listed below will expire in 19 days (on 10 Oct 17 06:52 +0000). ]
The site is private so dont want to reveal it in public but happy to PM someone if they check, as well advising why when doing New-ACMECertificate am getting the below:
I read somewhere the retention period for previous certificate requests is held by LE for 60-days (might be wrong) and that any attempts to renew/request new certs for the DNS entity you trying to register a certificate will fail.
Is this the case with me? As from yesterday the request passed validation and I was able to get a new exchange cert from LE.
I didn’t understand what you meant by “retention period”, but if you mean that renewals are forbidden until the certificate is 60 days old, that’s not the case at all. Renewals or other duplicative or overlapping certificates are permitted at any time, including immediately after the issuance of the original certificate.
There are rate limits that limit how often you can obtain duplicative certificates:
As long as you comply with the rate limits, you can renew whenever you like.
Let’s Encrypt recommends renewing after 60 days so that you have 1 month to notice and to deal with the problem if the renewal fails for some reason. This is the default implemented in the automated renewal features in Certbot and in some other Let’s Encrypt clients.
Thanks for that, I can confirmed I tried the v2 of the script and seems to work ok for Auto-Renewals, will do another task schedule renewal tomorrow to make sure this works again.