Migrate certificate issuing agent to another computer

Hi,
Our company had a guy who issued Let’s Encrypt certificates for particular service using certes (Windows dotnet tool).
The guy has left company and now reissue the particular certificate is only possible from his machine (Windows PC). The same instructions from other PC - failed on VALIDATION stage

certes order validate https://acme-v02.api.letsencrypt.org/acme/order/[OrderId]/[OrderId] domainexample.com dns

The error is 100% inadequate - it tells, that TXT record Incorrect (this is not true).

Error looks like
Status: “invalid”
Error: “urn:ietf:params:acme:error:unauthorized”
“Incorrect TXT record “CKWdcTbGXXx3h…etc” found at _acme-challenge.domainexample.com”
Status: 403

I am not an expert in certification, but I suppose, that his computer either was bounded with the LE account/ the certificate, or contains some validation certificate/tool/private key etc which help to validate the issuing. I have found only LE Authority X3 certificate on his machine and exported it to other machine. No luck so far.

Please, help!

Hi @EugeneG

please answer all of the following questions:


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):


There may be additional credentials of the DNS provider.

Thank you for reply!

I forgot to mention. The guy did not have access to our DNS provider’s console. But I have. And I added for him TXT records for validation. Moreover, he tried to help me and find out why his workstation is able to request LE certificate but my is not (the same computer in the same environment). And he does not know as well. We do absolutely the same steps, receive the same output (but with different order IDs etc., of course). And all looks fine, certificate is “pending” until “validation” step. I logged in in his computer get “Ready” status, but from my computer get “Invalid”. Just Windows 10 workstations in the same office. Both with dotnet tool install --global dotnet-certes --version 1.0.3.

Steps:
**certes account new email@example.com ** we use always the same e-mail.
certes order new ourdomain we use always the same domain (certificate for Windows SSTP VPN server).
certes order authz https://acme-v02.api.letsencrypt.org/acme/order/[OrderId]/[OrderId] ourdomain dns
Then we got TXT record, add it to DNS provider, wait, while it will be deployed globally (check with https://digwebinterface.com)
Then
certes order validate https://acme-v02.api.letsencrypt.org/acme/order/[OrderId]/[OrderId] ourdomain dns
After the last step - my PC cannot do next step and “authorize” certificate, but his PC can (even from my Windows domain account). I got the errors I wrote above.
If this information is not enough I will give more. But my question is why and how the requesting can be bounded with PC?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.