Would like to install certbot on windows unattended. Is that a thing? I tried several command line options, trying to make it happen or at least get a usage message, but no matter what I added to the command line, I got the wizard and no usage message. Don't want no wizard -- just do it.
My web searching found installers at two URLs:
- https://dl.eff.org/certbot-beta-installer-win32.exe
- https://github.com/certbot/certbot/releases/latest/download/certbot-beta-installer-win_amd64_sigcertbot-beta-installer-win_amd64_signed.exe
Similar results with both.
Certbot on Windows is basically dead; you'd probably be much better off with a different client that's more designed to integrate into the Windows ecosystem.
4 Likes
I see. I was not aware of that. Thanks for letting me know.
Actually, I'm already using winacme. But here's my problem with that:
We're providing AWS PaaS for a customer to host a website. Whenever the website devs have an update to the website, they zip it up and drop it in S3. That triggers an SNS message that launches the creation of a new instance that installs all the required software, grabs the zip, unzips it, configures everything. That includes using winacme to get a cert...
But the trouble is, all that I've been able to figure out so far is to have wiacme get a new cert for the new instance. And you can only request, what, 5 new certs every 5 days? When the Devs have a particularly productive (or bug-ridden) week, we hit that limit, and the resulting website doesn't have a cert until the sliding window's cert count drops below the limit.
Every way I've tried to think of to work around this problem seems to be either unsupported by winacme or is more trouble than it's worth:
- Once I have a cert, ask Windows to export it for me, so I can reuse it rather than ask for a new one? No good. The cert is installed in such a way that the key cannot be exported with it. And the cert is useless without the key.
- Ask winacme to install the cert such that the key is exportable? No good. Couldn't find such an option.
- Run a winacme command that, instead of installing the cert for the web server, just gives me the cert with its key, and I'll save them somewhere, and install them myself (well, you know, write code that does) every time a new instance spins up? No good. Couldn't find winacme options for that.
- Run a winacme comand that installs a previously requested/created cert, rather than creates a new one to install? No good. Couldn't find winacme options for that.
- Central certificate store? Well there are winacme options for that. But it seems an awfully big hammer. I really don't want to have to launch/harden/maintain/pay-for a file server instance just for that.
I was considering certbot because, based of some of the documentation I've seen, it looked like it might support some of the stuff I was looking for that winacme didn't. But if it's "mostly dead" (Miracle Max), I guess I shouldn't go that way.
So, if anyone can clue me in how I can get to where I want to go with winacme, or suggest another still alive acme client for Windows that will give me what I need, I'd be pleased to hear about it.
Thanks.
1 Like
For the same set of hostnames, yes. But why is your workflow making a new certificate for every deployment, rather than storing the certificate somewhere outside and just loading it? I would have the getting and renewing certificate logic entirely separate, saving the cert and key somewhere safe (S3, or Secrets Manager, or whatever), and then have the deployment just read the key and cert from there when it's getting deployed.
Basically this. But it doesn't seen to be a "file server", just load it from S3 like the rest of your code seems to be? You may not need an ACME client at all on your web server, just on the system that's updating the certificate in the separate storage.
I put together a hobby project using Lambda to renew the certificate, though I've made quite a few changes since I wrote that all up, and regardless it's just a source of ideas rather than something really production-ready. But maybe you'd find it helpful.
3 Likes
Well, yes, what you are saying is exactly what I said I wanted to do. But I can't figure out how to do it. Can you tell me exactly the winacme command line that says "create a cert for me, don't stick it in the server, just give me the cert, and its key, and I'll take care of the rest"? Because I've looked. And I couldn't find it.
I think you're looking for the option to just export in PEM format.
Though then you'd need to automate separately actually getting it into your web server.
But it may be that other people around here have more experience with situations like yours; I personally haven't configured certificates on Windows servers for a couple decades now so I may not be the person to be asking. 
4 Likes
Right. It does do a lot. The usage documentation is quite lengthy. Which makes it that much more surprising that I couldn't an option that does this seemingly simple thing. (Or maybe it's not surprising -- there's SO MUCH documenation that finding the thing you want is needle-in-a-haystack.)
So, has anyone else out there found that needle?
I've used https://certifytheweb.com/ on Windows systems without fail.
It can be set to install the cert into the cert store and export it to other formats and much more...
2 Likes
So this seems more like a devops pipeline that you're trying to put together and as each release push will re-deploy certs I'd suggest storing your certs in a secrets vault like Hashicorp Vault, Azure Keyvault, AWS Secrets Manager etc, then periodically pull the certs from that in your deployment (at startup and perhaps weekly). That way the renewal of your certs is independent to your deployment and you will not hit rate limits etc.
On your windows instance, which web server/service are you deploying to - is it IIS or something else? Do you target Windows for a specific reason?
3 Likes
Yes, As I've been saying all along, getting my mits on the cert (and key) myself is exactly what I am wanting to do.
And, as I've been saying all along, getting my mits on the cert (and key) is exactly what I was having trouble figuring out how to get winacme to let me do.
But, since I started this discussion, I've gone back and taken another look at the docs. And this time, I found --instalation script and its sub-options. I think that might do me. The doc doesn't explicitly say that the key will be available, but I'm hopeful. Am going to play with it to find out..
IIS. Lot's of dot net. That's why Windows is the best fit. Yeah, I know, dot net is available on other platforms, but it's indigenous to Windows, as are the devs. So, we give the customer what they want.
I'm not a win-acme expert (I'm the developer of Certify The Web) but they do have an option in their settings.json for PrivateKeyExportable which would then let you move the PFX around between machines (the PFX is an archive containing your certificate, required intermediates and the private key).
You can do it in Certify The Web as well [use an Export Certificate deployment task to wherever you want] but for what you need there's no requirement to change client. Once you have your PFX on your destination server you would use powershell to import the cert into the machine certificate store (My/Personal or Web Hosting, doesn't matter), get the cert thumbprint value, then add/update your IIS https binding for your site to use the latest cert. You can use this sort of script: Updating IIS certificates with powershell
I'm not aware of current tools that just take an input certificate from somewhere and it automates the deployment to IIS but that's probably because it's only a few lines of powershell to do.
[Likewise the secrets store method I mentioned, powershell could pull the latest PFX from any of those, install the cert and update the binding.
I should add that when you see options like export to CCS in any tool, all that's doing is copying the PFX out with a specific naming convention, once per domain or wildcard, so it's basically a file copy you can use for other things.]
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.