Letsencrypt-win-simple with IIS8.5 : SAN Certifcate with multiple domain entries

Help
1

Hi,

I am trying to generate SSL SAN certificate with IIS8.5. I am using letsencrypt-win-simple.V1.9.1 Script. The IIS has Default Website and bind to hostname: test.xyz.edu.pk.

In DNS all three SAN entries are pointed to same IIS server.

test.xyz.edu.pk 10.10.10.10
test2.xyz.edu.pk. 10.10.10.10
test3.xyz.edu.pk. 10.10.10.10

The script is only validating test.xyz.edu.pk and not authorizing other two entries.

Below are the steps:

  1. letsencrypt.exe --san --centralsslstore C:\Central_SSL\
  2. M: Generate a certificate manually.
  3. Enter a host:
    test.xyz.edu.pk
  4. Enter all Alternative Names seperated by a comma:
    test.xyz.edu.pk,test2.xyz.edu.pk,test3.xyz.edu.pk
    5.Enter a site path (the web root of the host for http authentication): %SystemDrive%\inetpub\wwwroot

Authorizing Identifier test.xyz.edu.pk Using Challenge Type http-01
Writing challenge answer to C:\inetpub\wwwroot.well-known/acme-challenge/dooo02yy-U2OuGB-1Zs6G6gnw2RWq_8ClB3oJxPYZLE
Answer should now be browsable at http://test.xyz.edu.pk/.well-known/acme-challenge/dooo02yy-U2OuGB-1Zs6G6gnw2RWq_8ClB3
oJxPYZLE
Submitting answer
Authorization Result: valid

Authorizing Identifier test2.xyz.edu.pk Using Challenge Type http-01
Writing challenge answer to C:\inetpub\wwwroot.well-known/acme-challenge/2_e2rVQy2K-8ZemxtGvlalgzS9l9lFG4SrtHtv98W5E
Answer should now be browsable at http://test2.xyz.edu.pk/.well-known/acme-challenge/2_e2rVQy2K-8ZemxtGvlalgzS9l9lFG4Sr
tHtv98W5E
Submitting answer
Refreshing authorization
Authorization Result: invalid

The ACME server was probably unable to reach http://test2.xyz.edu.pk/.well-known/acme-challenge/2_e2rVQy2K-8ZemxtGvlalgz
S9l9lFG4SrtHtv98W5E

Check in a browser to see if the answer file is being served correctly.

Authorizing Identifier test3.xyz.edu.pk Using Challenge Type http-01
Writing challenge answer to C:\inetpub\wwwroot.well-known/acme-challenge/lLKR2SYkn4qTqAtYgEkKUBHY31TTrYl2yFJtGMZLx8U
Answer should now be browsable at http://test3.xyz.edu.pk/.well-known/acme-challenge/lLKR2SYkn4qTqAtYgEkKUBHY31TTrYl2yF
JtGMZLx8U
Submitting answer
Refreshing authorization
Authorization Result: invalid

The ACME server was probably unable to reach http://test3.xyz.edu.pk/.well-known/acme-challenge/lLKR2SYkn4qTqAtYgEkKUBHY
31TTrYl2yFJtGMZLx8U

Check in a browser to see if the answer file is being served correctly.

Press enter to continue.

Please guide …

Regards,

2

none of your domains are reachable via the public internet

you need to sort this first otherwise LetsEncrypt will not be able to connect

it looks like you had an entry for test.xyz.edu.pk but this now points nowhere

it also looks like you never had entries for the other two (which makes sense why they failed)

image.png728×363 8.28 KB

Andrei

3

To expand on @ahaw021's point, these are internal private IP addresses which are not reachable from the Internet, and perhaps only on an internal organizational DNS server, not in the public view of the DNS. That means (for both reasons) Let's Encrypt can't confirm your ownership of this domain by connecting to your servers.

4

Opps… Sorry i have not mentioned the actual domain and ips in first post. The actual entries are
test.pma.edu.pk 103.4.92.2
test2.pma.edu.pk 103.4.92.2
test3.pma.edu.pk 103.4.92.2

I am able to generate certificate by binding all three names in IIS with this IP. The domains were validated but 3 separate .pfx files are generated. I dont know its right procedure or not.

Please guide.

5

Hi ,

I am using the below procedure to generate the SAN certificate. The domains were validated but 3 separate .pfx files are generated. Why it is not creating single .pfx file ? Why 3 ? Is it considering each .pfx file as a separate certificate ?

 PS C:\letsencrypt-win-simple.V1.9.1> .\letsencrypt.exe --san --centralsslstore C:\Central_SSL\
Let's Encrypt (Simple Windows ACME Client)
Renewal Period: 60
Certificate Store: WebHosting

ACME Server: https://acme-v01.api.letsencrypt.org/
Using Centralized SSL Path: C:\Central_SSL\
Config Folder: C:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org
Certificate Folder: C:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org
Loading Signer from C:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\Sign
er

Getting AcmeServerDirectory
Loading Registration from C:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.or
g\Registration

Scanning IIS Sites
 1: SAN - IIS Default Web Site (C:\inetpub\wwwroot)

 W: Generate a certificate via WebDav and install it manually.
 S: Generate a single San certificate for multiple sites.
 F: Generate a certificate via FTP/ FTPS and install it manually.
 M: Generate a certificate manually.
 A: Get certificates for all hosts
 Q: Quit
Which host do you want to get a certificate for: M
Enter a host name: test.pma.edu.pk
Enter all Alternative Names seperated by a comma test.pma.edu.pk,test2.pma.edu.pk,test3.pma.edu.pk
Enter a site path (the web root of the host for http authentication): %SystemDrive%\inetpub\wwwroot

Authorizing Identifier test.pma.edu.pk Using Challenge Type http-01
 Writing challenge answer to C:\inetpub\wwwroot\.well-known/acme-challenge/dooo02yy-U2OuGB-1Zs6G6gnw2RWq_8ClB3oJxPYZLE
 Answer should now be browsable at http://test.pma.edu.pk/.well-known/acme-challenge/dooo02yy-U2OuGB-1Zs6G6gnw2RWq_8ClB3
oJxPYZLE
 Submitting answer
 Authorization Result: valid

Authorizing Identifier test2.pma.edu.pk Using Challenge Type http-01
 Writing challenge answer to C:\inetpub\wwwroot\.well-known/acme-challenge/fWgqjX4Rr6Yi7jbyx0kjB4Una3hKsyDTWlWnvFO5V5A
 Answer should now be browsable at http://test2.pma.edu.pk/.well-known/acme-challenge/fWgqjX4Rr6Yi7jbyx0kjB4Una3hKsyDTWl
WnvFO5V5A
 Submitting answer
 Authorization Result: valid

Authorizing Identifier test3.pma.edu.pk Using Challenge Type http-01
 Writing challenge answer to C:\inetpub\wwwroot\.well-known/acme-challenge/oj6q3_pNJHqV9GCAbYysHZ3ELgGKOtVi3JW_zd0smrg
 Answer should now be browsable at http://test3.pma.edu.pk/.well-known/acme-challenge/oj6q3_pNJHqV9GCAbYysHZ3ELgGKOtVi3J
W_zd0smrg
 Submitting answer
 Authorization Result: valid

Requesting Certificate
 Request Status: Created
 Saving Certificate to C:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\t
est.pma.edu.pk-crt.der
 Saving Issuer Certificate to C:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencryp
t.org\ca-0A0141420000015385736A0B85ECA708-crt.pem
Host: test.pma.edu.pk
 Saving Certificate to C:\Central_SSL\test.pma.edu.pk.pfx
Host: test2.pma.edu.pk
 Saving Certificate to C:\Central_SSL\test2.pma.edu.pk.pfx
Host: test3.pma.edu.pk
 Saving Certificate to C:\Central_SSL\test3.pma.edu.pk.pfx
 WARNING: Unable to configure server software.

Do you want to replace the existing letsencrypt-win-simple httpsacme-v01.api.letsencrypt.org task? (Y/N)
6

as this is a client developed externally your best option is to log and issue at the developers github: https://github.com/Lone-Coder/letsencrypt-win-simple/issues

7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.