Trouble with Renew certificate using Certify The Web

Hi We are using the letsencrypt with certifi the web 5.3.0.0 on Windows server 2012 R2 till today was all ok but from today we canot renew the certiface come only this error.
i am not any profesional can someqone help me with this situation?

LOG ERROR from APP
2021-12-19 21:49:52.712 +01:00 [INF] Default Web Site: Request failed - Failed to build certificate as PFX. Check system date/time is correct and that the issuing CA is a trusted root CA on this machine. :Certification path could not be validated. System.Exception: Failed to build certificate as PFX. Check system date/time is correct and that the issuing CA is a trusted root CA on this machine. :Certification path could not be validated.
at Certify.Providers.ACME.Certes.CertesACMEProvider.ExportFullCertPFX(String certFriendlyName, String pwd, IKey csrKey, CertificateChain certificateChain, String certId, String primaryDomainPath) in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Providers\ACME\Certes\CertesACMEProvider.cs:line 1312
at Certify.Providers.ACME.Certes.CertesACMEProvider.d__34.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Providers\ACME\Certes\CertesACMEProvider.cs:line 1185
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__17.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 925
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__16.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 717
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__14.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 429

1 Like

Welcome to the Let's Encrypt Community, Lukas :slightly_smiling_face:

Let me ask the authority.

@webprofusion

Your thoughts here?

3 Likes

Have you checked both of those?

2 Likes

Hi, so Certify The Web has a specific requirement that it won't build the certificate PFX file if it doesn't have a copy of the corresponding root certificate (normal in your system trust store). Your system certificate trust store does not have the current Let's Encrypt ISRG Root X1 certificate.

The easiest way to fix this problem is to simply install the latest version - just download it from https://certifytheweb.com and install it again (you don't normally need to uninstall anything).

This will in turn ensure that you have the current root certificates required for CAs such as Let's Encrypt, Zero SSL etc, so that the PFX file will build OK.

The unfortunate side effect of this PFX build failure is that each attempt to renew the certificate will have counted against your Let's Encrypt rate limit for duplicate certificates, however I would imagine this has been failing for some time so you could be OK there (the app will gradually back off renewal attempts until it only tries every couple of days).

You should have received an email telling you the renewal was failing, so double check that your contact email under Settings > Certificate Authorities > accounts is correct and also check that it's not ending up in your junk mail.

If the app is not offering updates, please check that you can browse to https://api.certifytheweb.com/v1/update from a browser on that server, as you could be having trouble with TLS cipher settings or blocked outgoing connections. Your system is also not automatically updating it's root certificate store, which it should normally do.

5 Likes

Thanks for this info, after update the app works all correctly,

i have one more question, the email which is now in list for Certificate Authorities is private from old admin, can i add another email... what will be with settings this all stay if i change the Certificate Authorities email ?

2 Likes

With each successful renewal we have the opportunity to update the email address associated with that name (or names).
The update will overwrite the previous email address OR do nothing (when no address is being provided).

2 Likes

The simplest thing to do in Certify The Web is to delete the existing Let's Encrypt account then add a new one. We do need to offer an account update feature but that doesn't exist yet. The app will then just use that new account for subsequent updates. I recommend using a group/distribution email address instead of a single person as otherwise you can miss important notifications while someone is on vacation etc.

4 Likes

FWIW, I split the certificate acquisition and email update ACME functions in the most recent version of CertSage. Given the ACME account private key, CertSage can update (or outright remove) the email addresses associated with an ACME account regardless of which ACME client is being used to manage the certificates.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.