Urgent - renewal fails with IIS because "applicationHost.config" was modified


#1

My domain is: https://www.levelup-analytics.com
My web server is (include version): IIS 8.5
The operating system my web server runs on is (include version): Windows Sever 6.2

Hi,

I began having certificate errors this morning (though my certificates were still valid until the 20th), and upon renewal (or creation), everything worked fine until the last step:

[INFO] Installing certificate in the certificate store
[INFO] Adding certificate www.levelup-analytics.com 2018/12/6 13:00:42 to stor
e WebHosting
[INFO] Installing with IIS…
[INFO] Updating existing https binding :443
[INFO] Committing 1 https binding changes to IIS
[EROR] Error installing
System.IO.FileLoadException: Nom du fichier : \?\C:\windows\system32\inetsrv\co
nfig\applicationHost.config
Erreur : Impossible de valider les modifications de configuration parce que le f
ichier a été modifié sur le disque
(“Error: impossible to validate the configuration modifications because the file was modified on the disk”)
à Microsoft.Web.Administration.Interop.IAppHostWritableAdminManager.CommitCha
nges()
à Microsoft.Web.Administration.ConfigurationManager.CommitChanges()
à Microsoft.Web.Administration.ServerManager.CommitChanges()
à PKISharp.WACS.Clients.IISClient.Commit()
à PKISharp.WACS.Clients.IISClient.AddOrUpdateBindings(Target target, SSLFlags
flags, CertificateInfo newCertificate, CertificateInfo oldCertificate)
à PKISharp.WACS.Plugins.InstallationPlugins.IISWebInstaller.PKISharp.WACS.Plu
gins.Interfaces.IInstallationPlugin.Install(CertificateInfo newCertificate, Cert
ificateInfo oldCertificate)
à PKISharp.WACS.Program.OnRenewSuccess(ILifetimeScope renewalScope, Scheduled
Renewal renewal)

It’s extremely urgent because my server is not accessible to my clients anymore - does anyone have any idea what this error is about and how to fix it?

Thanks in advance for your help!!


#2

Hi @Kiyus7

do you run the program as Administrator?

C:\Windows\system32\inetsrv\config

isn’t available if you are not an administrator.

Can you open your IIS Manager? This tool uses the same file.

If the file is corrupt, you must check, if it is a valide Xml-file.


#3

Hi Juergen,

Thanks for your quick response - I ended up rebooting the server (which I didn’t do at first because a lot of scripts are constantly running on it) as a last resort and it did the trick.


#4

PS: But your site is running (checked with my online tool https://check-your-website.server-daten.de/?q=levelup-analytics.com ):


Domainname Http-Status redirect Sec. G
http://levelup-analytics.com/
163.172.20.225 200 0.083 H
http://www.levelup-analytics.com/
163.172.20.225 200 0.084 H
https://levelup-analytics.com/
163.172.20.225 200 5.380 N
Certificate error: RemoteCertificateNameMismatch
https://www.levelup-analytics.com/
163.172.20.225 200 5.343 N
Certificate error: RemoteCertificateNameMismatch

So your ApplicationHost - file must be correct.


#5

Yes, the files are blocked.

Oh - I think. It’s the same bug in the .NET - environment I found some months before.

Adding two new bindings via .NET code let’s the server hang. Only a reboot solves the problem.

PS: Your certificate is expired.


#6

You mean it it still expired? It’s not working yet but I thought it was because of:

[INFO] IIS will serve the new certificates after the Application Pool IdleTimeout has been reached.

Also why is it saying “Certificate error: RemoteCertificateNameMismatch”?


#7

Another thing to watch out for with IIS is when you commit new bindings it can actually take a while to flush the new config to disk, so follow up attempts to change bindings may throw exceptions, this gets worse if you have many sites or many bindings. For Certify I use a combination of a c# lock, multiple retries and an added 2.5s delay on error.


#8

Alright I recreated the certificates instead of renewing and it’s working now - thanks again for your help!


#9

The certificate had the domain name

CN=www.twist-analytics.com - 06.12.2018 - 06.03.2019 www.twist-analytics.com - 1 entry

Sorry, it’s not expired, I didn’t use my own tool correct :wink:

But now

CN=www.levelup-analytics.com
06.12.2018
06.03.2019
levelup-analytics.com, levelup-analytics.fr, twist-analytics.com, www.levelup-analytics.com, www.levelup-analytics.fr, www.twist-analytics.com - 6 entries

your certificate is correct and valide.