Windows server How to renew a certificate

Hi all,
in windows server I've a ISRG Root X1 certificate that expires in a few days, how do I renew it? I tried with certbot but I can't find it

How did you get the cert in the first place? Try doing that again.

4 Likes

I didn't make this certificate, old admin made it.

I try to make a new certificate with certbot but I've some dns errors.

2023-11-02 16:43:51,235:DEBUG:certbot._internal.main:certbot version: 2.7.2
2023-11-02 16:43:51,235:DEBUG:certbot._internal.main:Location of certbot entry point: C:\Certbot\bin\certbot.exe
2023-11-02 16:43:51,235:DEBUG:certbot._internal.main:Arguments: ['--standalone', '--preferred-challenges', 'http', '-d', '*.coima.it', '-d', 'coima.it', '--preferred-chain', 'ISRG Root X1', '--preconfigured-renewal']
2023-11-02 16:43:51,236:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-11-02 16:43:51,236:DEBUG:certbot.compat.misc:Failed to set console mode
Traceback (most recent call last):
  File "C:\Certbot\pkgs\certbot\compat\misc.py", line 59, in prepare_virtual_console
    h.SetConsoleMode(h.GetConsoleMode() | ENABLE_VIRTUAL_TERMINAL_PROCESSING)
pywintypes.error: (87, 'SetConsoleMode', 'The parameter is incorrect.')
2023-11-02 16:43:51,363:DEBUG:certbot._internal.log:Root logging level set at 30
2023-11-02 16:43:51,375:DEBUG:certbot._internal.plugins.selection:Requested authenticator standalone and installer None
2023-11-02 16:43:51,375:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * standalone
Description: Runs an HTTP server locally which serves the necessary validation files under the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP server already running. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='standalone', value='certbot._internal.plugins.standalone:Authenticator', group='certbot.plugins')
Initialized: <certbot._internal.plugins.standalone.Authenticator object at 0x00000079D5ADAC70>
Prep: True
2023-11-02 16:43:51,376:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.standalone.Authenticator object at 0x00000079D5ADAC70> and installer None
2023-11-02 16:43:51,376:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2023-11-02 16:43:51,611:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/1388746176', new_authzr_uri=None, terms_of_service=None), 25423e2a0c0e039ed2875ff9f615844b, Meta(creation_dt=datetime.datetime(2023, 10, 31, 16, 48, 4, tzinfo=<UTC>), creation_host='COSR04.coima.local', register_to_eff=None))>
2023-11-02 16:43:51,666:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2023-11-02 16:43:51,672:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2023-11-02 16:43:52,112:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 752
2023-11-02 16:43:52,114:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 02 Nov 2023 15:43:52 GMT
Content-Type: application/json
Content-Length: 752
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "EWkQxVEGcoU": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-01/renewalInfo/",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2023-11-02 16:43:52,118:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for *.coima.it and coima.it
2023-11-02 16:43:52,162:DEBUG:acme.client:Requesting fresh nonce
2023-11-02 16:43:52,163:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2023-11-02 16:43:52,306:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2023-11-02 16:43:52,307:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 02 Nov 2023 15:43:52 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: UM64FnRuYurpzjTA7aWwdAPXMkrSm0pSi3Z_cGdxUnSzRAUO95Q
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2023-11-02 16:43:52,308:DEBUG:acme.client:Storing nonce: UM64FnRuYurpzjTA7aWwdAPXMkrSm0pSi3Z_cGdxUnSzRAUO95Q
2023-11-02 16:43:52,308:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "*.coima.it"\n    },\n    {\n      "type": "dns",\n      "value": "coima.it"\n    }\n  ]\n}'
2023-11-02 16:43:52,322:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTM4ODc0NjE3NiIsICJub25jZSI6ICJVTTY0Rm5SdVl1cnB6alRBN2FXd2RBUFhNa3JTbTBwU2kzWl9jR2R4VW5TelJBVU85NVEiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
  "signature": "W6Wpd96lV-Q5CsMaVsnospqfBoanlg5PdFiQzDazBpaMjAycf9ydER9H25pGd0sbMUSsJKxuatSCAFWdBTyb_1BGPxthJNUXXJrH5GpE64PmuA9SzqkTs-30PYWLWpSjjuZDpFNaFKdfD4geblv76IdEpNoTff-08ZBUFMXqd_QiwctWQyzDMcBhHDnwxFYvQbNmZZoxKc_GhXQLdGFuZFx7yONPP7ero0fzb9JziD-hUY3IVM3gS57mFIbXrzuq3vFYw3HLWA7zSi8vC2HrIpeHjpcieLCF0FIaUwp70jv5PD3s0qaivHwocPLQFObwkZhy6LExKSygTSpbf0AcLQ",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIiouY29pbWEuaXQiCiAgICB9LAogICAgewogICAgICAidHlwZSI6ICJkbnMiLAogICAgICAidmFsdWUiOiAiY29pbWEuaXQiCiAgICB9CiAgXQp9"
}
2023-11-02 16:43:52,488:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 467
2023-11-02 16:43:52,490:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Thu, 02 Nov 2023 15:43:52 GMT
Content-Type: application/json
Content-Length: 467
Connection: keep-alive
Boulder-Requester: 1388746176
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/1388746176/219399334506
Replay-Nonce: drGA4aWANIUYCKU1BLYu6IUENR6R8Cca0hdO4gjq4KZ5DqW9W3Y
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2023-11-07T16:48:21Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "*.coima.it"
    },
    {
      "type": "dns",
      "value": "coima.it"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/279293496896",
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/279913337366"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1388746176/219399334506"
}
2023-11-02 16:43:52,490:DEBUG:acme.client:Storing nonce: drGA4aWANIUYCKU1BLYu6IUENR6R8Cca0hdO4gjq4KZ5DqW9W3Y
2023-11-02 16:43:52,491:DEBUG:acme.client:JWS payload:
b''
2023-11-02 16:43:52,495:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/279293496896:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTM4ODc0NjE3NiIsICJub25jZSI6ICJkckdBNGFXQU5JVVlDS1UxQkxZdTZJVUVOUjZSOENjYTBoZE80Z2pxNEtaNURxVzlXM1kiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzI3OTI5MzQ5Njg5NiJ9",
  "signature": "bG9oYJFMnkScVwWmO2AmqDxJSHgVLOQ2-u2Qa9FOUOCemAmh-eOXYQ_q9wjN_urANMLSW69qRahWuTowoDl566lPrG9yWJJiHHHquAPklgHeC-wg2GXbKFJDCceAcGCj-Av55iRiW-1m-m-23T5cnJ_P4MUHWH2qeYoCZgmV1mUoaLrH5adgTnNctczojvSinaMmadwCvvOtsGXaWtK50eU6tqA08ljs5xnCtAnQ6ZTL8XS9OoyBE__vWsr5lGIg3q-_Rnruvd7oZra2SEBh9l_fjh_-87YFpcmQjqyD-dt3H7KgmGUi7YxOCSUOZFuenVpIyp-kDTPeRsqT_wTsig",
  "payload": ""
}
2023-11-02 16:43:52,639:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/279293496896 HTTP/1.1" 200 382
2023-11-02 16:43:52,641:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 02 Nov 2023 15:43:52 GMT
Content-Type: application/json
Content-Length: 382
Connection: keep-alive
Boulder-Requester: 1388746176
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: UM64FnRuL_zJVS3zokTr9zOwvNpobyeTXRCx0Qm_BNSUUDERq60
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "coima.it"
  },
  "status": "pending",
  "expires": "2023-11-07T16:48:21Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/279293496896/UC1Ipg",
      "token": "MO1GnMTgDp9Ofz79Kk1xPbwdNfmdxWgYgaZdtT2Mms8"
    }
  ],
  "wildcard": true
}
2023-11-02 16:43:52,641:DEBUG:acme.client:Storing nonce: UM64FnRuL_zJVS3zokTr9zOwvNpobyeTXRCx0Qm_BNSUUDERq60
2023-11-02 16:43:52,642:DEBUG:acme.client:JWS payload:
b''
2023-11-02 16:43:52,644:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/279913337366:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTM4ODc0NjE3NiIsICJub25jZSI6ICJVTTY0Rm5SdUxfekpWUzN6b2tUcjl6T3d2TnBvYnllVFhSQ3gwUW1fQk5TVVVERVJxNjAiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzI3OTkxMzMzNzM2NiJ9",
  "signature": "UZRIYx5ZTsV9d1IPCiDPh1eMt2w7-ief7WaPuV8vYcfW3tNlU4jd500C0VqI47oREyE0Lqtv7ZVs-ZWs7Bw-oTouM01kciUnaDciLNeH7uThD9C-NfAIU7Msvwyx-9Ll9PvJG7wIegjQH7VC-G6KbW8tYDUl4Bkbbw7MiK86iiNECTumL0LiML3jr2EXDziIhUnpVnmwqCX3Qbc7SRFMNOxXepcXogQybtQ4U447AxqZ4iX4Isp0fNOAbb_p2slTYiXwssIUGxHbYBWztPHEeu-x_MsZBTtn5dmVWc-j1f9PWhbS8sre8X3oUP2x9FdoKzb-hukn1iBWscmbI7BrFg",
  "payload": ""
}
2023-11-02 16:43:52,790:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/279913337366 HTTP/1.1" 200 792
2023-11-02 16:43:52,791:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 02 Nov 2023 15:43:53 GMT
Content-Type: application/json
Content-Length: 792
Connection: keep-alive
Boulder-Requester: 1388746176
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: UM64FnRugIrlfcQBy8r05s_HlsH9rNSPK9JZSrPRWmKjoESoddk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "coima.it"
  },
  "status": "pending",
  "expires": "2023-11-09T15:19:35Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/279913337366/O8MFrQ",
      "token": "Gh88eKnGp88x5s3QDNGOKmYW2-ezwCllmOMhG01GCAU"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/279913337366/YLrNpg",
      "token": "Gh88eKnGp88x5s3QDNGOKmYW2-ezwCllmOMhG01GCAU"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/279913337366/toQ_sQ",
      "token": "Gh88eKnGp88x5s3QDNGOKmYW2-ezwCllmOMhG01GCAU"
    }
  ]
}
2023-11-02 16:43:52,791:DEBUG:acme.client:Storing nonce: UM64FnRugIrlfcQBy8r05s_HlsH9rNSPK9JZSrPRWmKjoESoddk
2023-11-02 16:43:52,792:INFO:certbot._internal.auth_handler:Performing the following challenges:
2023-11-02 16:43:52,792:CRITICAL:certbot._internal.auth_handler:Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
2023-11-02 16:43:52,794:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "runpy.py", line 197, in _run_module_as_main
  File "runpy.py", line 87, in _run_code
  File "C:\Certbot\bin\certbot.exe\__main__.py", line 29, in <module>
    sys.exit(main())
  File "C:\Certbot\pkgs\certbot\main.py", line 19, in main
    return internal_main.main(cli_args)
  File "C:\Certbot\pkgs\certbot\_internal\main.py", line 1873, in main
    return config.func(config, plugins)
  File "C:\Certbot\pkgs\certbot\_internal\main.py", line 1600, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "C:\Certbot\pkgs\certbot\_internal\main.py", line 143, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "C:\Certbot\pkgs\certbot\_internal\client.py", line 517, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "C:\Certbot\pkgs\certbot\_internal\client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "C:\Certbot\pkgs\certbot\_internal\client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "C:\Certbot\pkgs\certbot\_internal\auth_handler.py", line 80, in handle_authorizations
    achalls = self._choose_challenges(authzrs)
  File "C:\Certbot\pkgs\certbot\_internal\auth_handler.py", line 236, in _choose_challenges
    path = gen_challenge_path(
  File "C:\Certbot\pkgs\certbot\_internal\auth_handler.py", line 439, in gen_challenge_path
    raise _report_no_chall_path(challbs)
certbot.errors.AuthorizationError: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
2023-11-02 16:43:52,796:ERROR:certbot._internal.log:Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

What command did you run?

Because you are requesting a wildcard name *.coima.it using the --standalone option. A wildcard requires a DNS Challenge but standalone only does HTTP Challenge.

You can use explicit names like www.coima.it and coima.it with standalone. And, even more than just two. But, if you require a wildcard name you will need to use a DNS Challenge

3 Likes

I'd like to see the renewal configuration file.

Aside from the already mentioned --standalone/Wildcard cert request issue, this might imply that you may need to run certbot with administrative privileges:
[ I'm not 100% certain here - as I don't use certbot for Windows ]

2023-11-02 16:43:51,236:DEBUG:certbot.compat.misc:Failed to set console mode
Traceback (most recent call last):
  File "C:\Certbot\pkgs\certbot\compat\misc.py", line 59, in prepare_virtual_console
    h.SetConsoleMode(h.GetConsoleMode() | ENABLE_VIRTUAL_TERMINAL_PROCESSING)
pywintypes.error: (87, 'SetConsoleMode', 'The parameter is incorrect.')
4 Likes

They possibly didn't use certbot, your current cert appears to be a digicert one and they probably ordered that manually from digicert.

Your server header says you are using nginx. I would suggest not trying to get a *.wildcard (requiring dns validation etc) and just use http validation. If you want to use standalone mode you need to stop nginx first, to free up port 80 (for http). Alternatively you can use the "webroot" method - nginx experts can direct you to the correct options.

3 Likes

Ok, I decide to make a new certificate, I make a new .key file and I use this code for .crt:

openssl req -new -newkey rsa:2048 -days 90 -extensions v3_ca -subj "/CN=R3 /O=Let's Encrypt /C=US" -addext "subjectAltName = DNS:*.coima.it" -nodes -x509 -sha256 -set_serial 0 -keyout C:\crt\coima.key -out C:\crt\coima.cer

But in old certificate ?ve issued to (my domain) and in details I've subject (my domain) and enhanced key usage (server autentication and client autentication), how can I correct my code to have this?

That command is making a self-signed cert - not a cert from Let's Encrypt.

4 Likes

ok, how can I sen the certificate that I make to let's encrypt?

Now I make a new certificate with all info that I need inside, how can I send it to let's encrypt?

That is NOT how things work.

You send a request (for a cert) to LE [using an ACME client].
Once approved, then LE sends you a valid cert [one they make for you].

4 Likes
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            09:06:74:aa:cd:0e:34:6c:dc:88:77:dc:62:57:48:f5
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte RSA CA 2018
        Validity
            Not Before: Feb 22 00:00:00 2023 GMT
            Not After : Feb 26 23:59:59 2024 GMT
3 Likes

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.