LE ACME-Exchange.ps1 Exchange 2016 Renewal issues (part 2)

This is a follow up to the close topic on LE ACME-Exchange.ps1 Exchange 2016 Renewal issues

Its now 2 months down the road and task scheduled task to auto renew is failing me.
Already used 3 attempots of 5 allows todo cert renewal and want to use my last 2 attempt for the week in constructive way.

First of all, I never heard from @NetoMeter about “updated v2 script via a PM” so hope this v2 update is now available and I can use for exch2016 cert renewal.

Secondly, the log below is an attempt to renew the cert and wonder where am going wrong, I understand somewaht the issue, but need advise on getting this right this time round before attampting another request since I only have 2 attempts left.

Also like to thanks @ahaw021 on previous comment on other forum post and hope he can shed some light on this error log too as well as others.

Thanks for your support.

Windows PowerShell
Copyright (C) 2014 Microsoft Corporation. All rights reserved.

PS C:\Users\Shelob> cd C:\Tools
PS C:\Tools> .\ACME-Exchange.ps1

 Creating a new identifier for mail.mydomain.com ...
New-ACMEIdentifier : An item with the same key has already been added.
At C:\Tools\ACME-Exchange.ps1:11 char:2
+     New-ACMEIdentifier -Dns $FQDN -Alias $FQDN | select status, Expires
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [New-ACMEIdentifier], ArgumentException
+ FullyQualifiedErrorId : System.ArgumentException,ACMESharp.POSH.NewIdentifier
	

 Completing the challenge for the new identifier for mail.mydomain.com ...

 Submitting the new identifier for mail.mydomain.com ...
Submit-ACMEChallenge : no challenge found matching requested type
At C:\Tools\ACME-Exchange.ps1:17 char:2
+     Submit-ACMEChallenge $FQDN -ChallengeType http-01 | select Identifier, status,  ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [Submit-ACMEChallenge], ArgumentException
+ FullyQualifiedErrorId : System.ArgumentException,ACMESharp.POSH.SubmitChallenge

Update-ACMEIdentifier : no challenge found matching requested type
Parameter name: type
At C:\Tools\ACME-Exchange.ps1:21 char:19
+         $auth = ((Update-ACMEIdentifier $FQDN -ChallengeType http-01).Challenges ...
+                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [Update-ACMEIdentifier], ArgumentOutOfRangeException
+ FullyQualifiedErrorId : System.ArgumentOutOfRangeException,ACMESharp.POSH.UpdateIdentifier


 Waiting for a valid authorization ... Current status is
Update-ACMEIdentifier : no challenge found matching requested type
Parameter name: type
At C:\Tools\ACME-Exchange.ps1:21 char:19
+         $auth = ((Update-ACMEIdentifier $FQDN -ChallengeType http-01).Challenges ...
+                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [Update-ACMEIdentifier], ArgumentOutOfRangeException
+ FullyQualifiedErrorId : System.ArgumentOutOfRangeException,ACMESharp.POSH.UpdateIdentifier

I’ve responded to your request in the related ticket: https://github.com/ebekker/ACMESharp/issues/294

You might be confusing two different rate limits. You can obtain 5 identical certificates per week ("Duplicate Certificate" rate limit). But you can make 5 failed attempts to obtain certificates per hour, not per week ("Failed Validation" rate limit). Since you didn't actually obtain your certificate, you have 2 more attempts available this hour, not this week.

@ebekker
I will check thanks

@schoen
thanks for clarifying the rate limits, this seems quite fare.

OK I am getting somewhere and like to get LE take on this…

I am getting expiration notices to the admin mailbox which is great, but it is showing wrong expiration, its out by 5-days.
[Your certificate (or certificates) for the names listed below will expire in 19 days (on 10 Oct 17 06:52 +0000). ]

The site is private so dont want to reveal it in public but happy to PM someone if they check, as well advising why when doing New-ACMECertificate am getting the below:

The ACME logs shows for one of the SANs

Identifier || Status || Expires


alias.something.com || pending || 27.9.2017 8:29:20

Id : 93fe711e-eebe-47d2-8915-25bff5b5e80b
Alias : alias.something.com_2017-09-20–10-28
Label :
Memo :
IdentifierRef : 21cd637f-3712-4b99-86c3-946c1c63b521

again wrong date, my LE cert is currently valid from 17.7.2017 to 15.10.2017

Thanks for input on this.

@schoen
@ahaw021

I read somewhere the retention period for previous certificate requests is held by LE for 60-days (might be wrong) and that any attempts to renew/request new certs for the DNS entity you trying to register a certificate will fail.

Is this the case with me? As from yesterday the request passed validation and I was able to get a new exchange cert from LE.

Hi @aleon,

I didn’t understand what you meant by “retention period”, but if you mean that renewals are forbidden until the certificate is 60 days old, that’s not the case at all. Renewals or other duplicative or overlapping certificates are permitted at any time, including immediately after the issuance of the original certificate.

There are rate limits that limit how often you can obtain duplicative certificates:

https://letsencrypt.org/docs/rate-limits/

As long as you comply with the rate limits, you can renew whenever you like.

Let’s Encrypt recommends renewing after 60 days so that you have 1 month to notice and to deal with the problem if the renewal fails for some reason. This is the default implemented in the automated renewal features in Certbot and in some other Let’s Encrypt clients.

I’ve just sent you a message with the v2 of the script.

@NetoMeter

Thanks for that, I can confirmed I tried the v2 of the script and seems to work ok for Auto-Renewals, will do another task schedule renewal tomorrow to make sure this works again.

NetoMeter where can the rest of us get your V2 script?

Thanks… :smiley:

I’ve sent you a link with instructions.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.