LE Renewal Challenge

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: workfolders.tundrarum.co.za

I ran this command: le64.exe -key account.key -csr domain.csr -csr-key domain.key -crt domain.crt -domains "workfolders.tundrarum.co.za" -path .\ -live

It produced this output:
[ Crypt::LE client v0.38 started. ]
Loading an account key from account.key
Loading a CSR from domain.csr
Registering the account key
The key is already registered. ID: 296083230
Current contact details: sanitised@tundrarum.co.za
Successfully saved a challenge file './RE2kdsNPJAKZpKvAPhYg2et0gfQ7NYaTiyvxMEZ-17w' for domain 'workfolders.tundrarum.co.za'
Domain verification results for 'workfolders.tundrarum.co.za': error. Fetching http://workfolders.tundrarum.co.za/.well-known/acme-challenge/RE2kdsNPJAKZpKvAPhYg2et0gfQ7NYaTiyvxMEZ-17w: Timeout during connect (likely firewall problem)
Challenge file './RE2kdsNPJAKZpKvAPhYg2et0gfQ7NYaTiyvxMEZ-17w' has been deleted.
All verifications failed

My web server is (include version): IIS HWC for WorkFolders

The operating system my web server runs on is (include version): Windows Server 2019

My hosting provider, if applicable, is: Self-Host

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): LE client v0.38

I'm having a problem with the challenge. How do I automate the renewal? It is not a normal website IIS, it is a hostable web core and doesn't provide a normal web interface. If I use a DNS challenge each time, I can't automate the renewal as I have to update O365 DNS TXT records. I thought the account key and CSR were supposed to work around that after the first use

You need to issue a certificate to begin with before there is anything to renew..

What's a "hostable web core"? Perhaps you could explain for the non-IIS users.

How do you mean?

1 Like

I have already created the first certificate using a DNS challenge.

Hostable Web Core is a very trimmed down version of IIS that is installed when a full IIS installation is not required. It provides the barest requirements to allow you to provide some sort of web app, in my case Work Folders.

Based on this website Simplifying LetsEncrypt on Windows it suggests that if you have the .key and .csr files, you don't need to do the DNS challenge each time...

The guide is probably missing some info. Valid authorizations for a certain hostname are indeed cached, but only for 30 days. Let's Encrypts certificates are valid for 90 days and Let's Encrypt recommends to renew 30 days before expiry (so 60 days after issuance). At that time, the valid authorization isn't cached any longer and will be invalid, so a new authorization is required again.

Also, you haven't issued any certificate for workfolders.tundrarum.co.za yet, as proven by certificate transparancy log aggregators such as crt.sh | workfolders.tundrarum.co.za Maybe you did have a valid authorization, but quit the issuance JUST at the time between authorization and issuance? But chances are greater that you don't have a valid authorization for workfolders.tundrarum.co.za.

I do see 5 identical certificates for *.tundrarum.co.za: https://crt.sh/?q=tundrarum.co.za&deduplicate=Y But that's a different hostname. Also, please don't issue more than one certificate unnecessary. Those 4 extra certificates are only adding more load on the Let's Encrypt infrastructure.

1 Like

I don't know why there are 5 certificates... And they are all from 2 years ago.

I now see I had created the certs with the staging servers and not live. I've now got a live certificate. How would I renew it automatically in 60-odd days? Will there be a challenge? What type of challenge would that be? I cannot use a file creation challenge (there is no actual website) or DNS challenge (this requires manual intervention)

Whoops, I saw 11-14 and didn't look at the 2019 before that, my apologies.

I don't have experience with le64.exe, please check its manual.

Yes.

Probably the same as what you did now to verify the hostname. Most ACME clients store that info somewhere and try to do the same at renewal. If that "something" is a manual, non-automated step, then automated renewal won't work.

Reverse proxies can be a solution for something like this.

The Let's Encrypt validation server follows CNAME DNS resource records and by using that, systems such as "acme-dns" are possible. This might also be a solution for you. Just set up a CNAME to a DNS server/service you can automate. The used ACME client should have support for something like this too of course.

1 Like