Type: unauthorized Detail: Invalid response from

kuochinwu · February 15, 2021, 11:53pm

I am so dumb ... how to add --dry-run before?
What you mean exactly?

rg305 · February 15, 2021, 11:55pm

If you ran:
cerbot certonly
then just add it to that:
certbot certonly --dry-run

If you ran something else, then:
{whatever you ran} --dry-run

Is that exact enough?

kuochinwu · February 15, 2021, 11:56pm

I see! What is the result of --dry-run? fireworks LOL?!

rg305 · February 15, 2021, 11:56pm

Show the output please.

--dry-run is just test mode
No cert will be issued.

kuochinwu · February 15, 2021, 11:57pm

C:\Program Files (x86)\Certbot>certbot certonly --dry-run
Saving debug log to C:\Certbot\log\letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

rg305 · February 15, 2021, 11:58pm

You already have IIS listening on port 80, so #2

Then provide the directory path [where you placed the test files]

kuochinwu · February 15, 2021, 11:59pm

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Account registered.
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): topkeg.com
Simulating a certificate request for topkeg.com
Performing the following challenges:
http-01 challenge for topkeg.com
Input the webroot for topkeg.com: (Enter 'c' to cancel): c:\HostingSpaces\admin\topkeg.com\wwwroot
Waiting for verification...
Cleaning up challenges
e[1m
IMPORTANT NOTES:

The dry run was successful.
e[0m
C:\Program Files (x86)\Certbot>

Guess we win?!

rg305 · February 16, 2021, 12:00am

YES!

Now do the same exact thing WITHOUT --dry-run

kuochinwu · February 16, 2021, 12:03am

C:\Program Files (x86)\Certbot>certbot certonly --webroot
Saving debug log to C:\Certbot\log\letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): topkeg.com
Requesting a certificate for topkeg.com
Performing the following challenges:
http-01 challenge for topkeg.com
Input the webroot for topkeg.com: (Enter 'c' to cancel): c:\HostingSpaces\admin\topkeg.com\wwwroot
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: sales@cosmoelite.com).
e[1m
IMPORTANT NOTES:
e[0m - Congratulations! Your certificate and chain have been saved at:
C:\Certbot\live\topkeg.com\fullchain.pem
Your key file has been saved at:
C:\Certbot\live\topkeg.com\privkey.pem
Your certificate will expire on 2021-05-16. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew all of your
certificates, run "certbot renew"

If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

C:\Program Files (x86)\Certbot>

Keep winning! So now my server will have autorenewal SSL?

griffin · February 16, 2021, 12:24am

Try this as a test:

certbot renew --dry-run

If that works, try this final test ONLY ONCE:

certbot renew --force-renewal

If that works (and you already have a task setup properly to periodically run certbot renew), you should be good to go!

PS - We might need to work-in a --deploy-hook to reload your webserver after each successful certificate acquisition.

kuochinwu · February 16, 2021, 12:28am

I am running with windows server, and it seems need to convert the .pem to pfx and installing the pfx certificate and then binding the port. I could not convert the received pem files to PFX, seems something wrong.

Ok I am gonna try the : certbot renew --dry-run

griffin · February 16, 2021, 12:29am

Keep in mind that fullchain.pem contains both cert.pem and chain.pem (in that order).

kuochinwu · February 16, 2021, 12:31am

C:\Program Files (x86)\Certbot>certbot renew --dry-run
Saving debug log to C:\Certbot\log\letsencrypt.log

Processing C:\Certbot\renewal\topkeg.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Simulating renewal of an existing certificate for topkeg.com
Performing the following challenges:
http-01 challenge for topkeg.com
Waiting for verification...
Cleaning up challenges

new certificate deployed without reload, fullchain is
C:\Certbot\live\topkeg.com\fullchain.pem

Congratulations, all simulated renewals succeeded:
C:\Certbot\live\topkeg.com\fullchain.pem (success)

C:\Program Files (x86)\Certbot>

I think is ok!

kuochinwu · February 16, 2021, 12:34am

When I tried this: certbot renew --force-renewal

The system seems stall and not running...Did I break it?

kuochinwu · February 16, 2021, 12:36am

Yes..it didn't hit "enter" properly I believe..now is ok!

rg305 · February 16, 2021, 12:38am

This sounds like you would do better with a more mature Windows ACME client.
Like:
https://github.com/rmbolger/Posh-ACME
https://certifytheweb.com/
https://www.win-acme.com/

kuochinwu · February 16, 2021, 12:41am

Ok I shall give a look and trying, everyday learning!
Thank you one million for your time and patient!

Regards,

Paul

rg305 · February 16, 2021, 12:42am

Glad to help you on your learning journey!

Cheers from Miami

[now back to trading crypto for beer...]

kuochinwu · February 16, 2021, 12:45am

I love beer too, cheers from Quebec Canada

You guys are awesome and having unlimited beer from crypto LOL

system · March 18, 2021, 12:45am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.