No output from Certbot under scheduled task, due to "admin rights"

We have a program we wrote which automates the certbot process. It goes through pulls all the active domains out of IIS, checks their expiration and if expiring soon, then calls certbot to gen new certs. We then zip these up and send them to our hosting company to install into our load balancers.

Everything works perfectly fine when I run it manually, logged in to the server with my domain account.
However when it runs in task scheduler, under our service account, there is no output generated in C:\Certbot\live . The service account has R/W access to this directory. The exit code being returned from certbot is 1 , and the StdErr from the process outputs "Error, certbot must be run on a shell with administrative rights."

Our program that calls certbot is C#, using Process.Start to launch it, and near as I can tell there is no way to launch a process with admin rights without causing a UAC prompt, which obviously won't work in a nightly scheduled task.

Is there any way to make certbot on windows NOT require admin rights? The service account is the owner of the output directory where certbot rights out all it's various logs and outputs, C:\Certbot , and the scheduled task is set to "Run with highest privileges."

2 Likes

Hi @eidylon,

You may find some helpful context to the problem here: https://github.com/certbot/certbot/issues/7881. If you want to, you can add your voice with a comment on that issue, which will help prioritize it in future.

2 Likes

Just went over and added my voice there. :+1:t3::+1:t3:

For your C# app, do you have an app.manifest file? If so, you can declare the need to elevate privileges in the executable

  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel  level="requireAdministrator" uiAccess="false" />
      </requestedPrivileges>
    </security>
  </trustInfo>

Your scheduled task also needs to run as a user from the Administrators group and have "Run with highest privileges". checked.

As an aside, you could have done all this using Certify The Web or win-acme (or even Posh-ACME) , without much/any custom code. CTW could even ssh the certs to your load balancer automatically. In fact you could probably have done it normally with Certbot to some extent as well, as it has a scheduled task which does renewals, then you'd just write your certs out to a predefined folder and all your own task has to do is zip and send on a periodic basis. Calling certbot from another program in order to force your renewals is a little bit unusual, because it has that functionality already.

4 Likes

Agree. Shell'ing out to another app from C# seems like a particularly brittle solution. If what you know is C#, using an existing .NET ACME library and effectively writing your own client for your specific use-case seems like a better way to go. But yeah, other Windows specific clients can definitely make this easier.

My only guess is that this decision was borne of some sort of mandate to only use the "official" client...with the folks making that decision not realizing or caring that the Windows version of certbot is still technically a beta.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.