Le64.exe not creating file in windows server 2012?

I ran openssl for the two files:
C:\ZE>openssl genrsa -out account.key 4096
C:\ZE>openssl genrsa -out mydomain.key 2048

Then I ran the following command and get this output at a command prompt with Administrator access:
C:\ZE>le64.exe --key account.key --csr mydomain.csr --csr-key mydomain.key --crt
mydomain.crt --domains “www.domain.com,domain.com” --generate-missing --generate-only
2017/05/24 14:32:07 [ ZeroSSL Crypt::LE client v0.23 started. ]
2017/05/24 14:32:07 Loading an account key from account.key
2017/05/24 14:32:07 Loading a CSR from mydomain.csr

All files are in the current directory. I have my valid domain name within the --domains quotes.

What am I not doing correctly to create the file I need to copy into the .well-known directory to have the domain be validated? How do I get the .crt file? Or perhaps I simply don’t understand the process…my ISP requires that I FTPS files to a staging server that gets mirrored every 5 minutes so I can’t use a cert process that expects to do everything all at once in one command…

Hi @mushu,

You didn't tell us exactly what error or behavior you see subsequently in the process. But I think the five-minute delay in updating your site content might be related to the problem. Is the client prompting you to create specific files at a particular time? Is it then waiting for you to confirm that you've done so?

Hi @mushu

following on from here: Migrating webserver off ISP to own boxes (IIS 8.5)

But I have full control over the new boxes and can enable port 80/443 on them to the public--but of course DNS is still pointing to our ISP-hosted site.

Neither lets-win-encrypt simple or le64.exe will work if you have a delay between writing files (from the client) and them being available on your web server (the FTPS delay you are describing)

The best option from here is to use zerossl which gives you more granular control over the process

As always there is an article here to help you out :smiley: Let's Encrypt Part 1 - Issuing and Installing Certificates for Microsoft IIS the "Easy Way"

Once the DNS records are pointing directly to your IIS Server and your boxes then swap to LE64.exe

This is a client limitation and just something you need to plan :smiley:

@schoen both of the clients just march on with the HTTP challenge (i.e. create the folder and then submit the challenge without user intervention)

Andrei

1 Like

I’m completely biased (because I wrote it) , but unless what your trying to do won’t work in Certify SSL Manager I’d suggest you give it a try (https://certifytheweb.com). If it won’t work for you please let me know why and I’ll see what I can do to improve it.

hi @webprofusion

Apologies I do forget your client. I noticed you released a new version which I have not yet tested

I received your email about the new version.

I like your use of Encrypted File System for sensitive files and you IIS TLS config tool as well.

It might be a good idea to post a section in the client-dev topic so others are aware.

Will be happy to do testing and paste screenshots similar to what I did here: New Windows client - ZeroSSL as Win32/Win64 binaries

Andrei

1 Like

--generate-only is useful when for example you just need keys and CSR created and then use that CSR for something (like pass it to some CA). The process stops there and does not go any further. I only mentioned that option because it was not 100% clear what you initially wanted in another thread :slight_smile: So in your case you should not need it.

In your case the command would likely need to be:

le64.exe --key account.key --csr mydomain.csr --csr-key mydomain.key --crt
mydomain.crt --domains "www.domain.com,domain.com" --generate-missing --live

Notice --live option - it is needed to issue a "real" trusted certificate. You might want to try and create a test one first though (by running the same command without --live).

NB: The client gives a few usage examples if you just run it with --help option. To make reading of that help more comfortable, you can either redirect it into a file and read that file later or use "more" and use spacebar to list through screens. For example:

le64 --help > read.txt

or

le64 --help | more

1 Like

It seems to me that both the zerossl CLI (LE64.exe) and the letsencrypt-win-simple Windows clients would work for me IF the authors would implement a simple parameter --pause that generates everything then waits for the [Enter] key to continue the challenge process. This would allow me to copy the generated files into the .well-known/acme-challenge directory, push it out to the production server vis FTPS, and then it would get validated after my five minute delay.

EDIT: enhancement request no longer necessary per later posts.

(@leader Thanks for the info. I am purposefully not using the --live option because I’m trying different clients out and don’t want to mess anything up :slight_smile: )

N.B. this will all be moot after the server gets migrated in a week and a half. I have a lot of weekend & late-night work ahead of me. What was that about “…making the big bucks?” Yeah…right…lol.

As I mentioned before, this is already how it works basically if you don't use --path option. The LE process will stop and you will see on your screen something like:

Challenge for some.domain requires:
A file 'xxxxx' in '/.well-known/acme-challenge/' with the text: yyyy
When done, press <Enter>

So all you need to do is to copy/paste the content that is shown in the message into the file with the name that is also shown in the message. That's it :slight_smile: Well, and of course press Enter after that ...

2 Likes

Ugh. Ok, my problem (as was pointed out above) is that I had the --generate-only param which prevented the rest of the process. When I removed it I finally got this output…and the pause I wanted:

C:\ZE>le64.exe --key account.key --csr mydomain.csr --csr-key mydomain.key --crt
 mydomain.crt --domains "www.domain.com,domain.com" --generate-missing
2017/05/25 09:59:18 [ ZeroSSL Crypt::LE client v0.23 started. ]
2017/05/25 09:59:18 Loading an account key from account.key
2017/05/25 09:59:18 Loading a CSR from mydomain.csr
2017/05/25 09:59:21 Registering the account key
2017/05/25 09:59:21 The key is already registered. ID: 22323261
Challenge for www.domain.com requires:
A file '7d-IkwgG5JjvglkHVQp-S_5lxWayGTiaD8U2_Fje5kQ' in '/.well-known/acme-chall
enge/' with the text: 7d-IkwgG5JjvglkHVQp-S_5lxWayGTiaD8U2_Fje5kQ.7p74HGUv8Z74h3
ZZH6nQvOw-WJyhKyVnGbq9UJLPTIE
When done, press <Enter>

I’ll see if this will work for me but it’s looking good so far!

1 Like

When importing the live certificate into IIS 8.5 via certificate manager console (into web hosting, not personal) it shows no “Name” and under “Issued To” it only shows “www.domain.com” and not the “domain.com” also. What am I doing wrong?
I generated the cert using this command:
le64.exe --key account.key --csr mydomain.csr --csr-key mydomain.key --crt mydomain.crt --domains "domain.com,www.domain.com" --generate-missing --live

Then I used openssl to export a .pfx file for Windows:
openssl pkcs12 -export -out domain.pfx -inkey mydomain.key -in mydomain.crt

Now after I selected “SSL only” and added the binding for “https” requiring “SNI” it works when going to https://domain.com but gives an error when going to https://www.domain.com

Event log shows:
A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.

So now I’m lost. Anyone have any ideas? I thought I had generated a certificate that would work for both domain.com AND www.domain.com but it won’t seem to work for the www site. When importing the new cert it asked for a key in the IIS console so I just entered a fake password. Did it want the 2k RSA key for the certificate I generated instead? If so, will that even fit?

If in the browser you check any site certificate, you will likely see just one name under "Issued To" as well. Basically what is shown there is a "Common Name (CN)". However, if you look at the details of the certificate, then you should find all the specified names under "Certificate Subject Alt Name (SAN)". Since all the certificate issued by LE are tracked on https://crt.sh/, you can try looking for your domain there, click on the most recent record found and on the resulting page look for "X509v3 Subject Alternative Name:" line - most likely you will see both names there.

I suspect this is something specific to IIS bindings. For example, MSDN blogs in relation to the certificate store for IIS8 on Windows Server 2012 give the following example for SAN certificates:

In this case, the certificate must be duplicated with the file names matching Subject names in the certificate. For example, if the certificate is issued for "www.contoso1.com" & "www.contoso2.com", then the file names should be www.contoso1.com.pfx & www.contoso2.com.pfx, respectively.

So if the SAN Certificate is issued for 3 hostnames then there would be 3 files for those 3 hostnames respectively.

I'm not sure if that (having separate pfx for every name) is applicable in this case and I don't have WS 2012 to verify, but maybe @ahaw021 has some experience with that one :slight_smile:

Thank you for that, it explained it perfectly and I see that both the domain and alias are listed as separate certs on that website. I finally got it to work!

I’m still vague on a few spots:

  1. It took a lot of manual work to convert the cert to.pfx and import it and my next task is to find a way to automate that. I used a local copy of openssl and the zerossl LE64.exe client.
  2. When I went to import the resulting cert there was a password field in the dialog window. I just put a random password in (that I wrote down) and it seemed to work fine. What is that password field used for? Also note: you MUST leave the “allow to be exported” box checked or else it won’t work!
  3. I had to set up a URL Rewrite rule to auto-forward with a 301 Permanent all http:// to https:// and it seems to work fine. I found that I had to UNcheck the Require SSL setting to make everything work properly, Anyone know why?
  4. Server Name Indication (SNI) appears to be something I could use to avoid the rewrite rule and still allow all non-https traffic to forward to a plain webpage that says “your browser is old and sucks otherwise you’d be seeing our website” (or similar). Any thoughts? I played with it a while and couldn’t figure out what it was doing, plus it required a non-SNI site as a “default site”…

When you bind the cert in IIS, if you choose a specific FQDN then it will only be used for that name.
You may have to add an additional binding (with the same cert) for the other FQDN.
OR
If the site only responds to this one set of names bind the cert and don’t specify an FQDN.

Yes, I ended up leaving the binding for port 80 without an SNI hostname, and added two bindings for port 443: one for the www.domain.com and the other for just the domain.com hostnames–both using the same cert. Neither has the SNI option checked, and I do not have the Require SSL box checked either. I get an “A-” grade on the SSL checker webpage!

good news!
If your using DH ciphers ensure to update the DH primes above 1024: https://technet.microsoft.com/library/security/3174644

@mushu

I understand you are learning but the way you are communicating seems a bit dumpy too me. You are generating more and more problems as you go along. We have gone from a Creating Files issues to IIS config. While this can happen looking back at the flow of this conversation there are lots of different problems.

I suggest breaking these out. You have obtained certs (the end of this thread) , installing certs is a new problem (in my opinion).

A) SNI is a TLS/SSL concept only this is why you do not have the option for SNI on HTTP bindings https://en.wikipedia.org/wiki/Server_Name_Indication
B) Writing Redirect from HTTP to HTTPS is a fairly normal step in most web server setups (not just IIS)
C) You should have used a SAN certificate for your two domains (i.e. domain.com and www.domain.com as SAN X509 V3 extensions)
D) You can use microsoft certificate utility to create CSRs for you. You can feed the resulting certificate in to microsoft. A similar (different client) thing has already been done: https://www.linkedin.com/pulse/lets-encrypt-part-2-3-repurposing-clients-making-things-andrei-hawke
E) Stronger Diffe Helman Groups are a good idea but not necessarily the reason why you get a A- in SSLLabs
F) Several features that SSLLabs likes to see are not natively implemented in IIS. With Good Cipher Selection usually you get a A
G) Microsoft Bindings work much like Virtual Hosts in other web servers. A binding is for a specific domain is a good idea (i.e. domain.com and www.domain.com both in HTTP and HTTPS bindings)
H) Require SSL does have a few gotchas https://technet.microsoft.com/en-us/library/cc732367(v=ws.10).aspx. I usually use re-writes rather than require SSL. Require SSL is mandatory if you want to use Client SSL certificates as a redirect will not work in that case. Client SSL certificates only really work with Active Directory and Microsoft Internet Explorer.
I) Be careful about not having bindings - if you do not IIS will point customers to the deafult website (which may not be your application website)

Andrei

I usually find that making a good plan is better than trying different settings and asking people why things fail

I believe that your question should have been

A) I have a IIS web server which I can create files on but there is a 5 minute delay
B) I would like to use a client which does as much of the automation for me as possible
C) I have two domains domain.com and www.domain.com - whats the best way of dealing with this
D) Are there any gotchas with installing Let’s Encrypt Certificates on IIS
E) How can I review my configs.
F) I would like to redirect HTTP traffic to HTTPS.

It would have been easier for people such as myself then to test and propose a solution rather than running around explaining things which need not to have happend :smiley:

Andrei

In a perfect world…
I believe that if he would have been able to formulate such a well thought out list of questions, he probably would have known the answers to most if not all of them.
In my world, I tend to help people learn in small steps that they can take in and then understand as that has a much longer lasting result than just giving them an answer and list of steps to follow that they don’t really understand and moving on to the next problem.
Of course either way would work and this thread would surely use some… “abbreviation” if not a complete rewrite if it is to be easily used by the general public thereafter. But that is not my concern and I’m pretty sure it wasn’t on his to-do list either.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.