Renew Letsencrypt from V1.9.1.1 to latest version in Windows SO

Hi, I have installed some certificates with Lets Encrypt v1.9.1.1 in my Windows Server 2012.
Today, after renewing process running. I got an error saying V1 was deprecated and I must migrate to the new version.
First, I would like to know if there is a way to change the endpoint without downloading the new Let Encrypt version. If the answer is No, I would need help to do the version renewing. What happen if I download the latest version and select the "Create new certificate (simple for iis)" option? Will this replace my certificates from v1? What happen with the renewing process? Is it replaced too?
In some days my certificates expires so I need to fix this.
Thanks!
Ariel

1 Like

Welcome to the Let's Encrypt Community, Ariel :slightly_smiling_face:

The v1 being referenced is likely ACMEv1, which is the deprecated protocol being phased out that you have been using to acquire your certificates. You will need to switch to ACMEv2 to continue acquiring certificates. If it is an option, you can update the API directory endpoint in your software. This assumes your software is written in a way to be compatible with the v2 process, which differs slightly. The certificates acquired by v1 and v2 are the same. You might need to update your ACME client or select a new one. Since you're using Windows, I highly recommend either Certify the Web or Posh-ACME. They are both mature and well-developed ACME clients whose developers are frequent contributors to this community.

Griffin, thanks for your reply.

In the past, I downloaded this client (Letsencrypt Windows Client: How to Install Let’s Encrypt Free SSL Certificates on Windows Server - NetoMeter Blog). I clicked the "Letsencrypt Win Simple client" link and followed the instructions.
I don't find the way to change the endpoint here.
I don't have much experience in powershell options so I would prefer to have a client like which I have where I have to follow some options to get the certificates.
I don't know if you could help me with this.
Thanks again!
Ariel

1 Like

I strongly recommend using the Certify the Web ACME client then. It is very easy to use with a graphical interface. It even has its own support community. Its developer @webprofusion is around here quite frequently as well as in his own support community.

1 Like

If you don't want to switch to Certify the Web:

You probably want to update your win-acme first before looking at anything else: it might just fix your endpoint issue too.

See here for the upgrade instructions:

https://www.win-acme.com/manual/upgrading/to-v2.1.0

1 Like

Thanks to both. I would prefer to upgrade acma version before using certify the web client.

However, i don't understand what i should do to migrate from my 1.9.1.1 version to the latest.

Should i install the latest version run --import --emailaddress [you@example.com](mailto:you@example.com) --accepttos``? Or should i follow the steps of this Url (https://www.win-acme.com/manual/upgrading/to-v2.0.0)?

Ariel

1 Like

Looking at your 1.9.1.1 version number, you probably need to start even further back:

First: Migration from <=1.9.4 to v1.9.5
Then: Migration from v1.9.5+ to v1.9.9
And after that: Migration from v1.9.9+ to v2.0.x
And finally: Migration from v1.9.x to v2.1.x.

I don't have any experience with win-acme, so I don't know if you can skip one of those steps..

1 Like

And if I decide to use certify the web, is it necessary to anything? Or the creating the certificates with the clients, does it upgrade it automatically?
Thanks
Ariel

1 Like

If you switch to Certify the Web, you probably need to set up that ACME client from scratch. I doubt that it can import anything from win-acme, but you never know. You might want to search for such an import feature.

1 Like

Thanks Osiris. I will try to find a solution.
Ariel

1 Like

You just install it and go through the basic configuration. I've found most people who do have their certificates functioning within 15 minutes.

Hi, I've replied to your query here: Renew Letsencrypt from V1.9.1.1 to latest version in Windows SO - #2 by webprofusion - Question - Certify The Web - Support Community

In the first instance I would check out the win-acme docs to see if you can just upgrade that especially if you are just try to keep a legacy system working (which I suspect is the case here).

We do offer some integration with other cert managers (win-acme, posh-acme and eventually certbot) but these just help you see which certs you are managing and with what, we don't currently attempt to migrate anything for you.

While I do strongly believe Certify The Web is the best overall option for ACME cert management on Windows I am obviously biased and there are some other great (generally command line) tools available. It is a commercially supported tool with limitations on the free (Community Edition) version and not everyone will be happy with that. So I'd say try it out and see what you think.

2 Likes

Christopher, thanks for your reply. Here I reply for this comment and the comment in the Certify forum.

I would like to update win-acme without installing another service because my current version always worked properly. However, my current version is 1.9.1.1 and someone in the forum told me that I should follow this process to upgrade:
First: [Migration from <=1.9.4 to v1.9.5]
Then: [Migration from v1.9.5+ to v1.9.9]
And after that: [Migration from v1.9.9+ to v2.0.x ]
And finally: [Migration from v1.9.x to v2.1.x]

I really don't understand how to do those steps.

If I want to migrate to certify the web, how can I do to disable the current version? Just disabling the scheduled tasks is it sufficient? What happen if I keep win-acme and I select Create new certificate (simple for IIS) option? Should I get an error? Or new certificates and scheduled tasks should be replicated for this new version? In that case, I could do that and then remove old certificates and scheduled tasks. In other words, I don't know if upgrading is necessary or if I can start the configuration since beginning without upgrading all those versions as the user said.

Thanks

Ariel

1 Like

Did you read the links (every step has its own link to the documentation for said step) I put in that overview?

1 Like

Yes Osiris. I read the links but they require changing some system files and I prefer to don't do that. For that reason, I asked if there is a way to create new certificates with win-acme latest version and disable the previous scheduled tasks. The same question if I decide to migrate to Certify the web.
Thanks
Ariel

1 Like

@WouterTinus is it all right to ask you here on this forum whether someone running win-acme 1.9.1.1 can update directly to the newest release, without going through all of the intermediate migration steps?

1 Like

Hi @schoen, thanks for bringing this to my attention. In theory it should be possible to jump straight to release 2.1.16.

We had a breaking release with version 2.0.0 (which was the jump to ACMEv2), but there is a function to import the renewal configuration from older versions.

However, the import function has mainly been tested with data from more recent releases in the 1.9.x series. To give some color to that, 1.9.1 is from June 2016 and 2.0.0 from February 2019. That's why the manual recommends first upgrading to a more recent 1.9.x version like 1.9.12.2 first.

In any case, the import is non-destructive so you can always try the direct route first and do the intermediate upgrade if that doesn't work out.

3 Likes

It sounds like you can migrate to the newer version of win-acme fairly easily.

If you did want to migrate to Certify The Web (or just try it out) I'd recommend doing one certificate at a time until you are comfortable with the process. You generally just open it up and click 'New Certificate', choose your IIS site and click 'Request Certificate', if that's successful then renewals are automatic from then on. You would need to eventually disable the lews/win-acme scheduled task but as it's not currently working it's not really doing anything and won't conflict with Certify either.

As mentioned Certify has both free and commercial versions with a limit on the number of managed certs in the free version (currently 5, but this may be increased again in the future), whereas win-acme has no cost (to you) at all.

All these tools really do for you is acquire (and renew) the certificate from Let's Encrypt, then help apply the certificate to IIS by storing it in the machine certificate store then updating the IIS bindings. You can run different tools on the same machine (usually for different certs) but generally mixing tools for the same job can be a little confusing to maintain.

I'd recommend you try out all the options available to you on a test machine, then decide from there. Either way it's very important to update these tools regularly for a bunch of reasons. For Certify, you just open the app and it offers to update to the latest version automatically.

1 Like

Thanks for your reply!
I don't have many certificates to create so probably I will migrate to Certify the web. Rarely, I still have Acme 1 in my server and my certificates were renewed automatically with scheduled tasks. I thought it was deprecated but it seems like not yet.
Thanks again!

It's an ongoing process with hostnames which are still in use can still renew, until the ACMEv1 API is disabled intirely. Non-active hostnames (no clue which "cut-off date" is being used) can't get a new certificate though. But at this moment, for still active hostnames, only brown-outs are sometimes temporarily in effect.