Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: keatsmfg.com
I ran this command: None - Expired message started popping up when people used Outlook
It produced this output: This certificate has expired or is not yet valid
My web server is (include version): IIS6
The operating system my web server runs on is (include version): Server 2012 (not R2)
My hosting provider, if applicable, is: None. Local server.
I can login to a root shell on my machine (yes or no, or I don't know): I can log in as admin/powershell
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): Unknown. I did not install this certificate.
We are using this cert on an RDP server. Expired on 07/05. Users received error when sending e-mail from within our manufacturing program. I was not aware of this cert and have not used Let's Encrypt before.
Hi @Mand1, and welcome to the LE community forum
That is very old and likely very insecure too.
Well... you are (or someone for you is) going to have to find out and take control over all that.
[like: how was the cert obtained and where it is being used]
Thanks for the quick reply. Agreed on old and insecure. This is an internal only server that is scheduled to be replaced in the next year.
I found the history through the crt.sh output, so that's something.
Would it make more sense to remove the cert and go through the process of creating a new one under my LE account?
Step #1: What is the current ACME client?
If the certificate is expired, removing it probably won't really help you, and "renewing" and basically the same thing as creating a new one.
The "LE account" isn't really something human-facing, it's all managed by an "ACME client" that's supposed to handle all the work of automatically renewing and installing your certificate for you. Likely one of them is already installed on the server, so the first step may be taking a look at the list of popular "Windows/IIS" clients and seeing if you can find evidence of any of them being installed. (And maybe they have some logging somewhere that tells you why their automatic renewal or installation isn't working anymore.)
You may be able to just install a new client and start using it, which may work, but I'd be hesitant to do so without understanding if there's something already there.
It looks like the cert was renewed according to the output. Unless I'm misunderstanding.
Thanks @petercooperjr. I'll check that info out.
Yes, it's possible that the client is successfully renewing the certificate, but not automatically installing it in all the places that it needs to be.
The most likely apps you would be using to renew your certificate on windows are:
- Certify The Web (which you would find on the machine under C:\Program Files\CertifyTheWeb or in the start menu
- win-acme (which could be installed anywhere but would have files under C:\ProgramData\win-acme)
- Posh-ACME (which is a powershell module)
You may also find a scheduled task under Windows Task Scheduler which would provide a clue.
Is your cert for the RDP host name (so users can connect via RDP)? You mentioned email, so is it an RDP problem or is it an email problem (outlook etc)?
Yeah, the mention of a bare apex name (most likely for a web site), along with mention of both Outlook and RDP confused me as well. I suppose it might be possible for a mail server, RDP server, and web server to all be on the same system but I don't think it's nearly as common a configuration as it might have been in the days of yore.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.