My web server is (include version): Windows 2012 R2
The operating system my web server runs on is (include version): IIS8
Application: Windows ACME Simple (WACS)
We have about 2500 domains on one server (approx. 1250 naked + www domains). In our current WACS 1.9.x environment the renewal dates are quite evenly spread out over the 60 day renewal interval so not all renewals will occur at the same day.
After 2.x installation there is a neat option to import all certificates from the 1.9.x environment, but when doing so, the renewal date for all domains seem to be set to “1970-1-1 0:00:00”. Does this mean they all will be subject for renewal at the next scheduled renewal? And will continue to be renewed the same day in the future as well (every 60 days)? Doesn’t this put an unnecessary load on the server on the “renewal day” and/or will we run into a limit this day?
So, is it safe to upgrade WACS from 1.9.x to 2.x and importing the renewals with a set of 2500+ domains?
Unless renewals are “forced”, having it “think” a cert is expired (based on the… Oh snap! that cert expired 50 years ago “check” result) doesn’t actually make the cert expired; So any renewal attempts would “fail” as “unnecessary” and eventually when the cert expires the renewal process should work.
Meaning the frequency and rhythm of your current renewals would continue unchanged.
Of course, I didn’t write the code so, you should also confirm this with the maintainer.
It might say “Oh dear! That poor cert died 50 years ago, let’s just bury it… and hope no one noticed.”
LOL
Thanks for feedback. I’ll try to ask the maintainer. Here’s some additional info in the matter, but no answer to my question, just confirming the issue:
It looks like the maintainer did actually answer your question.
While importing renewals from 1.9.x to 2.0 we don't copy the history, partly because it would take more effort to write that code, but partly also to start with a clean slate.
The thinking is that it's not a bad idea to renew the certificates immediately after upgrading, otherwise you can't be sure that the conversion was a success.
So it's definitely working-as-intended that the client will try to renew all certificates immediately following the upgrade regardless of their actual expiration.
And it looks like changing that behavior is not possible.
When I launch the command to renew the scheduled ones, ALL the certificates are renewed with as info "running prematurely due to detected target change". How to renew only those with an outdated date?
There is no way of doing that right now. What's happening is that the program looks for the cached certificate file (which is supposed to be there according to your "faked" history) and notices that it's not matching up with what it's supposed to be (i.e. it's missing). The only way around that would be to put a .pfx file for each renewal with the proper file name in the CertificatePath.
Thanks for input!
Well, my question was if this is safe. What happens if you try to renew 2500 domains at a time? Perhaps anyone with experience can share their knowledge?
You may run into rate limits. Perhaps the “300 Pending Authorizations on your account” one? But maybe not if some of the previous authorizations are still valid.
Whether it’s safe would depend on how WACS handles rate limit related errors.