Windows ACME Simple and Softether issue

marcelorsc · April 19, 2020, 8:07pm

Hi,

I have no previous knowledge about SSL/HTTPS - I’m just trying to put HTTPS in my local server due some clients requests (and to remove the infamous “Not Safe” message). I tryied Windows ACME Simple (WACS) as it looked like a simple way for a newbie to do that.

The installation was ok, I just followed the steps in WACS app, created the required bind at IIS, the certificate was created and included in IIS.

But when testing it was refused by Chrome and Firefox (as a potential risk). Chrome message is “NET::ERR_CERT_AUTHORITY_INVALID”.

In Firefox I could see the certificate, and for my surprise it was issued for “s02arquivo.softether.net” and not for the expected domain “s02.arquivo.net”.

Softether is a free software that is installed on the server to allow some people to access our LAN via VPN, used because they are at home-office due coronavirus. But it should have NO relation with my IIS and I think it should not affect the process, but it did…

I did a second attempt turning SoftEther offline, revoked the first certificate (within WACS app), and tryed again. But the bind was nor found anymore (probably because it was previously used), so I used manual option and could recreate it (maybe I have two certificates now, the first one is still there, but with an “error” condition attached). So I deleted previous bind, remade it assigning the “manual” entry from second attempt, but it didn’t work, both browsers (after CTRL-F5 reload) keep providing the same information and the same “s02arquivo.softether.net” reference.

Why did the VPN SoftEther software affect the process and was used as part of the certificate?

How to prevent this problem? Should totally UNINSTALL SoftEther?

How to remove the certificate and competely clean it to retry a clean new attempt (no previous bindings, no previous certificates to cause confusion)?

Can I include correct organization data in this automated certification process?

After successful in this process I’m trying to do for s02.arquivo.net, I’ll need also to do the same for other servers, like s01.arquivo.net, s03.arquivo.net, etc. Any tip?

Thanks for any help!

Marcelo.

My domain is: s02.arquivo.net

My web server is (include version): IIS 10

The operating system my web server runs on is (include version): Win2016 Server Std

My hosting provider, if applicable, is: self server

I can login to a root shell on my machine (yes or no, or I don’t know): No

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No. Just use the default IIS administration tool, locally.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Windows ACME Simple

JuergenAuer · April 19, 2020, 8:21pm

Hi @marcelorsc

checking your domain via s02.arquivo.net - Make your website better - DNS, redirects, mixed content, certificates - you have created two certificates:

Issuer	not before	not after	Domain names	LE-Duplicate	next LE
Let's Encrypt Authority X3	2020-04-19	2020-07-18	s02.arquivo.net - 1 entries	duplicate nr. 2
Let's Encrypt Authority X3	2020-04-19	2020-07-18	s02.arquivo.net - 1 entries	duplicate nr. 1

Don't create the next, there is a rate limit.

But you don't use it, instead, there is a self signed:

C=US, OU=s02arquivo.softether.net, O=s02arquivo.softether.net, 
CN=s02arquivo.softether.net
	18.03.2020
	31.12.2037
expires in 6465 days

I have no idea how that software works. There are informations on that website:

Manage this VPN Server or VPN Bridge

by SoftEther VPN Server Manager GUI for Windows / macOS (download) (Recommended)

May be you have to install / import the certificate manual.

marcelorsc · April 19, 2020, 8:42pm

Hello JuergenAuer,

Thanks for the fast reply. Actually the questionaire was submitted before I could write the full experience. Please take a look on the text, if you wish.

I don’t want ANY interference of Softether in this server, I could not even imagine that the VPN software could cause problems in the certification process. If I did I would have unistalled it before.

I made the second attempt with SoftEthet turned offline, but it didn’t work. How can I reset all the process and do a new clean certification with no interference of SoftEther? The certificate should be for “s02.arquivo.net” and not “s02arquivo.softether.net”.

Can I fix the certificate to remove SoftEther reference, and also update my company name and data on it? Everything has the name “SoftEther”…

As I informed, I do not want ANY reference to Softether in my certification - my server has no relation to their domain, it is my own domain and totally independent. It is just using their VPN free software using this server as an entry point to my LAN, but it should not have any relation to my webserver.

Can’t I create another certificate to this server (to remove reference for SoftEther)?

Will I be able to create other certificates for my other servers using the same domain and different subdomains? (s01.arquivo.net, s03, arquivo.net, etc)

Thanks and regards!

JuergenAuer · April 19, 2020, 9:45pm

I don't know how Softether works.

But that program answers port 443 of your domain name.

That's the reason these informations

Manage this VPN Server or VPN Bridge

are visible.

If you want that your website answers, you must change the configuration of your router, of your server?

Or you have to configure that Softether, so it uses another port.

marcelorsc · April 19, 2020, 9:59pm

Hello JuergenAuer,

Thanks again for the reply and the tip. Yes, possibly SoftEther provided a wrong information for the browsers at that moment, responding in the same port (that I was not using before) - and of course the domains did not match.

After the second attempt creating the certifications the webserver stopped to work (probably due port conflict) and I restarted the whole server, then it started to work! Now I’m being able to connect to the domain and have the lock in the browsers and the certificate informing the right domain.

I’ll keep observing if it will keep working or if SoftEther may cause issues again, and if it happens check for port conflicts, or uninstall it…

Is it possible to add company real information to the certificate created via WACS to be seen by users? May I ignore the duplicate certificate I created and just let it expire? And, will I be able to create other certificates for other servers with different subdomains in the same domain?

UPDATE:

SoftEther was really using port 443, and it is possible to turn it off and use other ports for VPN. So it seems that the issue was just SoftEther entering in the place of IIS and tricking the browsers providing invalid information. After restarting the server, IIS took the port before SoftEther, so the certificate worked (and SoftEther when finding the port already being used automatically disabled it, informing an error).

JuergenAuer · April 20, 2020, 6:33am

If SoftEther sees that the port isn't used, it's normal that it uses the standard https port. There is nothing "tricky". If users don't have websites, so it's easier.

Happy to read that it works

system · May 20, 2020, 6:33am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.