A few months ago I created a certificate for the websites:
mitutoor.com,
www.mitutoor.com
and talents.mitutoor.com
But since a couple of weeks ago only the talents.mitutoor.com subdomain does not recognize the certificate. The certificate was created interactively with the win-acme.v2.1.0.522.x64.trimmed> wacs.exe tool.
The operating system my web server runs on is (include version):
Windows Server 2012 R2
Can you help me?
Thank you.
Not only a few months ago, you're creating certificates almost daily! Look at this HUGE list of certificates generated the last past few months:
https://crt.sh/?q=mitutoor.com&deduplicate=Y
Also, you're creating double certificates each time. Both have the same hostnames in the SAN (apex domain and www subdomain), but in one the apex domain comes first and is used as the CommonName and in the other the www subdomain is used as CommonName..
You really need to STOP this useless issuing of certificates at once! This is putting extra and useless load on the Let's Encrypt systems. While the certificates might be free for you, it is not free of charge to keep a CA like Let's Encrypt up and running. The more load on the systems, the more it costs to LE.
Please check if you have some kind of run-away ACME client which keeps issuing these certificates and FIX it.
After you've fixed your ACME client and it doesn't uselessly consume certificates any longer, we can talk about what happened to your talents subdomain. (Hint: all those useless certificates don't have the talents subdomain in their SAN and your webserver is using one of those many many certificates with just the apex domain and www subdomain for the talents subdomain too.)
Thanks for your quick response.
We had trusted the wacs tool to make the proper configuration on the server to use LE certificates without violating any of the rules.
We detected that the wacs.exe tool, when used in interactive mode, created a task that runs daily, therefore, this task was immediately stopped.
I would like to know if this task must be stopped permanently or how often it must be run again?
Thanks a lot.
A daily task isn't bad in principle: Let's Encrypt advices to run the certbot client even twice a day. The difference probably is that normally an ACME client will not renew a certificate if it isn't due for renewal yet. That's the difference here I guess.
I don't have experience with wacs.exe, but I think we can all assume it doesn't force renewal when the renewal isn't due yet by default? I guess that would be user input to the client to do that?
You've been getting certificates almost daily for more than a year now 
, since your first Let's Encrypt certificate on 2019-10-25. What a waste of resources..
Please read the WACS manual to see how you can configure your ACME client properly.
Please show the parameters used in that daily task.
[so that we can get to the bottom of that problem and others might learn from this example]
Parameters of task created by interactive mode of wacs.exe tool:
--renew --baseuri "https://acme-v02.api.letsencrypt.org/"
The parameters were created by the interactive mode of the wacs.exe tool. This tool did not show any specific option to configure the task or the frequency with which it would run. In interactive mode, the websites for the certificate were selected, the challenges were successfully validated, and the task was created. Each time it was run instead of renewing the certificate when absolutely necessary, it created a new certificate without the active certificate having expired.
Thanks.
We need to dig deeper.
Please locate and show the corresponding renewal file:
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.