Problems with SAN creation on windows


#1

Hi All,

I have been trying to get this working for a few months now in my spare time, but have had no success with either ACME-POSH (latest official release) or Win-simple (1.9.1.1).

I started with win-simple and can get a successful certificate using the testing system, but as soon as I try to use the live system, nothing happens (see https://github.com/Lone-Coder/letsencrypt-win-simple/issues/318 for more details).

so I switched to ACME-POSH powershell module and after stuffing around with that I eventually found the installer I needed and found a good screen capture of the whole process (or at least mostly) http://www.netometer.com/video/tutorials/How-to-Install-LetsEncrypt-Certificate-in-Exchange-Server/

I got everything setup using a slightly modified version of the netometer process (as I’m using ex2013 not ex2016 as depicted) and put in what I thought was everything I needed and I get the following errors when running without admin privileges:

  1. New-ACMEIdentifier : An item with the same key has already been added.
  2. Complete-ACMEChallenge : Filename: redirection.config. Error: Cannot read configuration file due to insufficient permissions

When using admin priviledges:

  1. New-ACMEIdentifier : No registrations found. At C:\Scripts\Exchange_server\ACME-Exchange\ACME-Exchange.ps1:8 char:2

if anyone has got this working using either method, I would be very greatful to chat with you (especially if your available to chat real time to help me out of this painful pickle.

if you need more information, I’m happy to provide it, if you need the actual script, PM me and I will provide it.

TIA.
JD


#2

has anyone got the SAN certificates to work using win-simple ?

if so, how ? did you have any problems with the --test ?

surely someone out there has been through these issues before …


#3

Both of these packages are maintained by others, and both look as if they are not recently updated ( looking at github). Normally I’d suggest raising an issue with the developer, but the best option here may be to use one of the alternative clients that is more recently maintained.

I haven’t personally used either of the clients you mention, so can’t help directly, sorry.


#4

thanks serverco, but as these are the only 2 windows clients that don’t require PHP, I am stuck using one or the other (the remaining “apps” just use AMCE-POSH in the background.

letsencrypt-win-simple looks to be the best option for my purposes, but I just cannot get it to work in the non test mode …

if anyone has any experience with SAN certs on windows, I’m curious what you used and how you got it working.


#5

hi JDaus

Have a look at the ACMESharp Library https://github.com/ebekker/ACMESharp/wiki/Quick-Start

I have also done this manually using certreq https://www.linkedin.com/pulse/lets-encrypt-part-2-3-repurposing-clients-making-things-andrei-hawke?trk=prof-post

For automation purposes ACMESharp would be the best bet


#6

Thanks Andrei, but, acme posh is part of the acme sharp distrobution and I have already tried that.

I was looking for a windows client, so that I can automate the renewals. The link you provided doesnt appear to mention windows servers at all in the post.

I am happy to pay a developer friend to update either of the two packages I mentioned above, but am not sure what has changed in the protocol (if anything) to break them (?).


#7

I took a look at the letsencrypt-win-simple issue you reported. letsencrypt-win-simple exposes more error details if you enable debug logging. I assume this would be done by changing the following line in letsencrypt.exe.config:

<add key="serilog:minimum-level" value="Warning" />

to:

<add key="serilog:minimum-level" value="Debug" />

When you re-run the client, you should now get something like “Full Error Details …” in the output. Hopefully something in there will point you in the right direction.

Regarding your issue with ACMESharp, I would guess that New-ACMEIdentifier is failing because you haven’t run Initialize-ACMEVault and New-ACMERegistration under the admin user (from the docs: “Note, if you run as Administrator, your Vault will be created in a system-wide path, otherwise it will be created in a private, user-specific location.” The registration is probably stored in that vault, so running it under a different user means there’s no existing registration.)


#8

Hi JDaus

I agree with your observation. A lot of the windows clients are over-complicated (in my opinion) and lack what some of the other clients have (good solid building block)

I am in the process of putting something together based on PowerShell, OpenSSL and SQLite

Building a solid core (much like SImpleLE for python) and then will have auxiliary functions

developers then can pick if they want to just use the “API” wrapper or the full stack

can’t commit to ETAs but it’s in the works :smiley:


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.