ebekker / acmesharp Goto Github PK

I tried to run it on two different servers (W2012 and W2012 R2). I cannot complete challenge.

If I use Certify GUI, it reports "challenge not yet completed check that http:/... is present and accessible". I checked the url and is OK, file is accessible.

I also tried direct from powershell, but still I cannot complete challenge.
Any idea?

thanks

As per this, as of Nov 19 the older challenge types are being removed and no longer supported in the LE APIs, so there is really no reason to support the older challenge types of simpleHttp and dvsni, so let's remove these from the code to clean it up.

So I just got into the LetsEncrypt beta and came here to try to use this client on my server 2012 machine and am totally lost.

There needs to be an installer. This guide ain't gonna fly for production: https://github.com/ebekker/letsencrypt-win/wiki/Setup-Boulder-CA-on-Amazon-Linux WTF does letsencrypt-win have to do with linux, where there's no powershell?

I want a BIG BOLD command that I can copy and paste and have everything just work, like they have on https://chocolatey.org/ home page. Anything more and you're botching half the point of letsencrypt.

Is there a chocolatey package for this? Is that the plan?

https://github.com/ebekker/letsencrypt-win/wiki/Example-Usage is way too complex as well. It doesn't even say how to install.

How do I even get started right now?

The linux client supports multiple host names (SAN) - is this possible with this client?

When using OpenSSL native lib for supporting CertProvider operations, we need to detect and automatically switch to correct architecture for the native libraries.

Right now, doing New-ACMEProviderConfig -WebServerProvider Manual will pop up a notepad instance just so you can optionally provide a path to a file. Would be good to have an option to provide the file path in New-ACMEProviderConfig so that this can be completely automated.

I've looked at the code a bit but I'm not entirely sure where to add it, with some pointers I'd be happy to help out and send a PR.

Would be nice to use some cloud CI service to automatically build and run this project and publish an ongoing status page.

I've noticed at least one place (EditProviderConfig.ProcessRecord) where a GetTempFileName file isn't removed after use. Would you be interested in a PR to deal with tiding up tempfiles?

Following along with the example in the Readme.md, I received an error when I attempted to execute

Complete-ACMEIdentifier -Ref dns1 -Challenge simpleHttp -ProviderConfig s3HttpProvider

The error message was: "The term 'Complete-ACMEIdentifier' is not recognized as the name of a cmdlet, function , script file, or operable program"

Looking at the source code I was unable to find this function.

Currently there seem to be a few issues related to powershell (permissions, 32bit vs 64-bit etc). Could this client be built just as .net console app?

Previously, artifacts for people without visual studio were available at
https://ci.appveyor.com/project/ebekker/letsencrypt-win/build/artifacts

What about for ACMESharp? It is reasonable to expect them to become available?

(I am asking because I want to make AWS certificates, so the easy exe that works for IIS is not the answer.)

I am working through this using manual dns
I have added the TXT record to my domain and now trying to tell ACME I am finished.

I am running into the following error doing Submit-ACMEChallenge. Please help.

Submit-ACMEChallenge -Ref dns1 -Challenge dns-01
Submit-ACMEChallenge : Unexpected error
At line:1 char:1

• Submit-ACMEChallenge -Ref dns1 -Challenge dns-01

• - CategoryInfo          : NotSpecified: (:) [Submit-ACMEChallenge], AcmeWebException
  - FullyQualifiedErrorId : ACMESharp.AcmeClient+AcmeWebException,ACMESharp.POSH.SubmitChallenge
  

The certificates I got are currently 3 months valid. So I tried to find how to do renewals, but didn't find how to do this. I guess the only was is to create a new identifier with a new alias?

Same thing if I would want to revoke the certificate.

Would there be a way to increase the validity?

All steps from Example-Usage goes fine, except last one. When i try to Install-ACMECertificateToIIS -Certificate cert1 -RemoteSession $pss -WebSite "Default Web Site" -Replace

I suppose this error appears in IIS, bad configuration, but maybe not. Can somebody explain me what error means and how to install certificate.
And one more question, can somebody show me how automatic whole process. Thanks!

hi,

I was generated a ManualDnsServer Config file and i was changed the DefaultDomain by my domain name, ben when a complete-ACMEChallenge i have that error :

Complete-ACMEChallenge : Specified argument was out of the range of valid values.

the format of my domain name is like google.fr

It seems there might some value in decoupling the Vault concept and related API from the POSH module as discussed in #12 such as this comment.

If we want to isolate the Vault as a common entity that can be leveraged by multiple clients, we would need to pull it out into its own assembly from the POSH stuff. Also we'll have to refine the API to make use of more well-defined and standardized constructs such as the different assets.

Right now the Vault treats all of these as opaque and only provides facilities to tag them as a specific logical type. But if we're want two different clients to understand the content of a Vault, they need to use a standard format for all the elements contained within.

Would be cool to see a script that can run as a timed event that will configure any websites that don't have https, then for all that do, fetch a new cert if it's been more than a month since the last cert.

When running:

New-ACMECertificate -Identifier $webalias -Alias $certalias -Generate
Submit-ACMECertificate -Ref $certalias

I get the following:

Submit-ACMECertificate : Exception has been thrown by the target of an invocation.
At line:1 char:1

• Submit-ACMECertificate -Ref $certalias

• - CategoryInfo          : NotSpecified: (:) [Submit-ACMECertificate], TargetInvocationException
  - FullyQualifiedErrorId : System.Reflection.TargetInvocationException,ACMESharp.POSH.SubmitCertificate
  
  

I have narrowed it down to
ACMESharp-master\ACMESharp\ACMESharp\PKI\CertificateProvider.cs, Line 148

Code:
return (CertificateProvider)t.GetConstructor(PROVIDER_CTOR_SIG)
.Invoke(new[] { initParams });

My hosting provider requires me to have a password on the pfx file I need to provide to get https enabled on my site. I don't know if all of the exported types support exporting with a password? It would be good to add support for optionally adding a password.

Happy to work on this!

Will be best to publish a nuget package that others can use, such as the simple client.

Related to #31.

@DanielBrownAU pointed out two bugs in the POSH module since the move to Vault assets related to file paths:

• Bug 1, SubmitCertificate is trying to access cert DER file directly in the file system using the wrong path
• Bug 2, GetCertificate is trying to pull various various vault assets of different types all from the Key PEM asset type path

I use the following line to get my certificates after a successful ACME challenge:

Get-ACMECertificate -Ref cert1 -ExportKeyPEM cert1-key.pem -ExportCertificatePEM cert1-crt.pem

However I don't know how to feed Apache with them, as it needs 3 files:

SSLCertificateFile <path_to>/cert.pem
SSLCertificateKeyFile <path_to>/privkey.pem
SSLCertificateChainFile <path_to>/chain.pem

At this moment, my browser detects a non-trusted certificate issued by "happy hacker fake CA" (BTW a terrible name if you ask me...).

The GenerateCsr function looks completely wrong:
https://github.com/ebekker/letsencrypt-win/blob/master/letsencrypt-win/LetsEncrypt.ACME/PKI/CsrHelper.cs#L73

For example:
if (!string.IsNullOrEmpty(csrDetails.Country /**/)) xn.Common = csrDetails.Country; // C;

should be:
if (!string.IsNullOrEmpty(csrDetails.Country /**/)) xn.Country = csrDetails.Country; // C;

etc

The VaultProvider interface needs to be enhanced to support attaching or embedding various related assets that are part of the logic state of the Vault. Right now the code is peppered with one-off file saving/loading routines which breaks the concept of the Vault API which is a logic store of all state related to an ACME registration and child assets. The API is also meant to keep the back-end store independent of any specific implementation, including a file system.

We should enhance the API to support the concept of assets which can be created, queried for, saved to and loaded from.

I'm quit new with all this stuff so I guess I'm doing some thins wrong.
No I get an access denied for my webcontent-folder.

manualHttpProvider:
{
"Provider": {
"$type": "LetsEncrypt.ACME.WebServer.ManualWebServerProvider, LetsEncrypt.ACME",
"FilePath": "C:\inetpub.asci.be\supportroot"
}
}

Script :
mkdir c:\Vault
cd c:\Vault
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
Import-Module C:\letsencrypt-win\bin\ACMEPowerShell
Initialize-ACMEVault -BaseURI https://acme-staging.api.letsencrypt.org/
New-ACMERegistration -Contacts mailto:[email protected]
Update-ACMERegistration -AcceptTOS
New-ACMEIdentifier -Dns asci.be -Alias dns1 -Label "DNS asci.be" -Memo "asci.be"
New-ACMEProviderConfig -DnsProvider Manual -Alias manualDnsProvider
New-ACMEProviderConfig -DnsProvider AwsRoute53 -Alias r53DnsProvider
New-ACMEProviderConfig -WebServerProvider Manual -Alias manualHttpProvider
New-ACMEProviderConfig -WebServerProvider AwsS3 -Alias s3HttpProvider
Edit-ACMEProviderConfig -List
Edit-ACMEProviderConfig -Ref manualHttpProvider
Complete-ACMEChallenge -Ref dns1 -Challenge simpleHttp -ProviderConfig manualHttpProvider

Error:
PS C:\vault> Complete-ACMEChallenge -Ref dns1 -Challenge simpleHttp -ProviderConfig manualHttpProvider
Complete-ACMEChallenge : Could not find a part of the path 'C:\inetpub.asci.be\supportroot'.
At line:1 char:1

• Complete-ACMEChallenge -Ref dns1 -Challenge simpleHttp -ProviderConfig manualHtt ...

• - CategoryInfo          : NotSpecified: (:) [Complete-ACMEChallenge], DirectoryNotFoundException
  - FullyQualifiedErrorId : System.IO.DirectoryNotFoundException,LetsEncrypt.ACME.POSH.CompleteChallenge
  

The Code is not designed to use recent class like "HttpClient" that provides a lots of Async method
I've just tried to move the code to DNX i'm having a LOT of trouble to recode the "AcmeClient.cs" because the code is based on legacy class (that was suppoed to be replace since .net 4.5 and so on :)

There's few other things like this one in other places i can't list all of them so far

Need to update the client with the latest changes to the ACME spec:

Add explicit versioning to challenges

• ietf-wg-acme/acme/pull/6 - Address signature reuse vulnerability
• ietf-wg-acme/acme/pull/7 - Address default virtual host risks
• ietf-wg-acme/acme/pull/8 - Add explicit versioning to challenges
• ietf-wg-acme/acme/pull/13 - Use a deterministic value for validation

The DNS-type Challenge for a DNS-type Identifier Authorization has been implemented as per the ACME spec however, testing against the Boulder CA fails.

The ACME sequence of steps entails:
1 Submit a New Authorization for DNS-type Identifer, receive an Authorization object with a list of Challenges.
2 For DNS-type Challenge, create the necessary TXT record with a name of _acme-challenge.your.target.domain and value of the JWS signature.
3 Submit a Challenge Validation response to the URI in the original Challenge to signal the challenge has been satisfied and can be validated.
4 Query the status of the pending DNS-type Challenge via the URI in the original Challenge.

All the steps above complete successfully and without any error at the protocol level, except that the final status of the DNS-type Challenge in the last step query indicates invalid.

Upon inspection, we see the Boulder console indicates Correct value not found for DNS challenge. Note, for our testing we updated the dnsResolver setting in the test/boulder-config.json to point to a real DNS server (Windows AD) and created the necessary record in the second step above to satisfy the challenge.

When running the following on Windows Server 2016 Server IT Preview 3 via PowerShell v5 x86. I am coming across this error while attempting to replace the certificate.

PS C:\Vault2> Install-ACMECertificateToIIS -Certificate cert12 -WebSite "SharePoint - www.danielbrown.id.au80" -Replace
WARNING: Params:
WARNING: * F72C33EFE5C23AC4C83360D3A493E0540488042D
WARNING: * C:\Users\administrator.VEXTHAL\AppData\Local\Temp\2\tmp7F23.tmp
WARNING: * 0
WARNING: * False
WARNING: * True
WARNING: * System.Collections.Hashtable
WARNING: * System.Collections.Hashtable
Exception calling "Invoke" with "1" argument(s): "Retrieving the COM class factory for component with CLSID
{688EEEE5-6A7E-422F-B2E1-6AF00DC944A6} failed due to the following error: 80040154 Class not registered (Exception
from HRESULT: 0x80040154 (REGDB_E_CLASSNOTREG))."
At C:\temp\ACMEPowerShell\ACMEPowerShell-IIS\ACMEPowerShell-IIS.psm1:214 char:3

•     $script.Invoke($invArgs)
  

•     ~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  • FullyQualifiedErrorId : CmdletInvocationException

Likewise if i attempt to install a fresh certificate (and not replace the existing).
PS C:\Vault2> Install-ACMECertificateToIIS -Certificate cert12 -WebSite "SharePoint - www.danielbrown.id.au80" -Port 443
WARNING: Params:
WARNING: * F72C33EFE5C23AC4C83360D3A493E0540488042D
WARNING: * C:\Users\administrator.VEXTHAL\AppData\Local\Temp\2\tmp8DA8.tmp
WARNING: * 0
WARNING: * False
WARNING: * False
WARNING: * System.Collections.Hashtable
WARNING: * System.Collections.Hashtable
Exception calling "Invoke" with "1" argument(s): "Retrieving the COM class factory for component with CLSID
{688EEEE5-6A7E-422F-B2E1-6AF00DC944A6} failed due to the following error: 80040154 Class not registered (Exception
from HRESULT: 0x80040154 (REGDB_E_CLASSNOTREG))."
At C:\temp\ACMEPowerShell\ACMEPowerShell-IIS\ACMEPowerShell-IIS.psm1:214 char:3

•     $script.Invoke($invArgs)
  

•     ~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  • FullyQualifiedErrorId : CmdletInvocationException

Line 214 (and then some)
$invArgs = @(
,$ci.Thumbprint
,$pfxTemp
,$null ## $pfxBytes
,$SNIRequired.IsPresent
,$Replace.IsPresent
,$webBindingArgs
,$sslBinding
)
$script.Invoke($invArgs)

-DB

With no email, blog or Twitter handle listed on your account, it's kinda hard to ping you 📞

Perhaps this was intentional? 😀

Either way, it'd be great if you could create a Twitter account (and state it on your profile page) so that I and others who are interested in what you're doing with AcmeSharp can ping you (only) when necessary!

Many thanks 👍

If I use Submit-ACMEChallenge and it fails for some reason - say the validation file wasn't available on the expected URL - then I want to be able to fix the problem and re-submit the validation.

However, if I try to do that I get an "Unexpected error" from Submit-ACMEChallenge.

I have tried calling Complete-ACMEChallenge with -Regenerate and/or -Repeat but neither seem to resolve this problem.

I found that I had to modify the extensionless file mapping in the web.config file in order to get IIS to serve the challenge file. The change I made was to remove the asterisk from the extension in the mapping - so I changed to the following:

<staticContent>
    <mimeMap fileExtension="." mimeType="text/json" />
</staticContent>

The letsencrypt simple project regenerates the web.config every time it runs, so to make this change I had to add the mapping above in the root web.config.

This was on IIS7.5 on Windows Server 2008 R2.

I'm getting the error Vault root path is not empty while is newly created.

PS C:\Vault> attrib
File not found - C:\Vault*.*
PS C:\Vault> Import-Module C:\letsencrypt-win\bin\ACMEPowerShell
PS C:\Vault> Initialize-ACMEVault -BaseURI https://acme-staging.api.letsencrypt.org/
Initialize-ACMEVault : Vault root path is not empty
At line:1 char:1

• Initialize-ACMEVault -BaseURI https://acme-staging.api.letsencrypt.org/

• - CategoryInfo          : NotSpecified: (:) [Initialize-ACMEVault], Exception
  - FullyQualifiedErrorId : System.Exception,LetsEncrypt.ACME.POSH.InitializeVault
  
  

Any idea how I can solve this ?

As documented in #49, if a Challenge has been unsuccessfully submitted and transitions into the invalid state, then that Challenge can no longer be submitted and new Identifier Authorization request should be issued.

To help the user experience with this situation, we should update the relevant cmdlets to test for the current (or last status) received for a given Challenge, and if it's not in Pending state, then print out a warning and abort. The -Force flag will allow a user to force the retry on an existing Challenge in either case.

Great work with this, looking forward to giving it a good try with my sites.

So far, I've gotten as far as Submit-ACMECertificate, where it reports:

Submit-ACMECertificate : The system cannot find the file specified.
At line:1 char:1

• Submit-ACMECertificate -Ref cert2

• - CategoryInfo          : NotSpecified: (:) [Submit-ACMECertificate], CryptographicException
  - FullyQualifiedErrorId : System.Security.Cryptography.CryptographicException,LetsEncrypt.ACME.POSH.SubmitCertific
    ate
  
  

I am running Powershell as Admin, x86, tho the gotcha is, it is Windows 2016 Preview 3.

I've tried copying the files to the operating directory, checked logs/event logs and cannot seem to find much sorry.

Just using the example on the usage wiki with domains & paths changed.

Running Update-ACMECertificate produces:

PS C:\Vault> Update-ACMECertificate -Ref cert2
Update-ACMECertificate : Certificate has not been submitted yet; cannot update status
At line:1 char:1

• Update-ACMECertificate -Ref cert2

• - CategoryInfo          : NotSpecified: (:) [Update-ACMECertificate], Exception
  - FullyQualifiedErrorId : System.Exception,LetsEncrypt.ACME.POSH.UpdateCertificate
  
  

Not sure what is going on / next steps sorry.

Any help would be greatly appreciated.

As discussed here and here, it would be nice to decouple the ACME library and clients from the OpenSSL library.

We can convert all the OpenSSL integration points into a well-defined interface of dependencies on PKI certificate management calls, and then refactor the current use of OpenSSL assembly and native library into the first implementation of this new interface.

Thereafter, we can provide an alternative implementation that is based on the well-defined and commonly used OpenSSL CLI interface (i.e. calling into a console binary). This will allow us to resolve the issue with 32-bit/64-bit compatibility, and also allow end-users to substitute the console binary with any other CLI-compatible program (e.g. a different version of the OpenSSL console binary, or an alternative implementation, such as LibreSSL).

Finally, by abstracting out the cert management interface, we can make use of completely different implementations such as one that is based on the Windows-native CertEnroll API.

Instead of using a local file-based state store, implement a Vault Provider that persists its state to a server such as a SQL back-end (EF?), a NoSQL back-end (DynamoDB, Redis, RavenDB, DocumentDB, etc.) or a remote file store (S3, BLOB, OneDrive, Google Drive, etc).

The Vault Provider interface is fairly simple and won't get too much more complicated, so it's possible to write one or a few base class implementations, and then multiple concrete implementations as per the examples above.

A server-based Vault will make it more manageable to keep track of multiple ACME-issued certs across multiple servers.

Add the Let's Encrypt BETA API endpoint, which will become PROD.

This the BETA/PROD API endpoint should be the default option for the POSH module, but overridable and customizable to talk to other endpoints, such as the current LE STAGE endpoint.

The new API endpoints base is: https://acme-v01.api.letsencrypt.org/

The directory of all basic ACME resources can be found at the directory under this base.

Hi there,

I really like the Idea and the usage of this Project. I think I could already do what I need with the current implementation but I want to have it more easy and maybe also usable for a lot of other people.

My use case is the following. I have a Fritzbox (Router) that supports accessing via HTTPS and also uploading a userdefined certificate, but I have no access to the root folder, so I cannot place the file to ".well-known....". My solution is to make a port forwarding and create a local temporary webserver on my Windows machine to complete the ACME challange there and then upload the certificat on the router.

I know that there are plenty of other solutions (Linux VM, jailbreak the router, and so on) but for me it seems to be the easiest solution.

As far as I understand the code, I simply write a WebServerProvider that then hosts the file locally, where a simple http server can be used. In detailed it might be more tricky, but I think it should work in this way.

Is anybody interrested in this enhancement or is this to far away from the idea of this project?
Or can maybe someone just implement this in a short time, because I have to get more into the code to write something that might be usable for others.

Thanks in advance for any notes, suggestions or help.

While looking at extending the use of the TemporaryFile wrapper, I was pondering a bit of refactoring in NewProviderConfig.ProcessRecord.

This contains the following code:

var output = JsonConvert.SerializeObject(config);
s = new MemoryStream(Encoding.UTF8.GetBytes(output));
using (var fs = new FileStream(temp, FileMode.Create))
{
    s.CopyTo(fs);
}  

Is there any reason not to replace this with:

File.WriteAllText(temp, JsonConvert.SerializeObject(config));

Extensionless Static Files are disabled in IIS and are extremely tricky to enable.

Here's the error message I put into the client to try to help:

Most likely this was caused by IIS not being setup to handle extensionless
static files. Here's how to fix that:

1. Goto Site/Server->Mime Types
2. Add a mime type of .* (application/octet-stream)
3. Goto Site/Server->Handler Mappings->View Ordered List
4. Move the StaticFile mapping above the ExtensionlessUrlHandler mappings.
   (like this http://i.stack.imgur.com/nkvrL.png)

This problem defeats the entire point of lets encrypt being super easy to use.

Can we maybe save the http-01 answer out to a .txt file and have the ACME server check for it there as a second try? Is there someway to tell the server an extension or can the servers just be changed to request the answer at a .txt file extension?

My use case is trying to make a letsencrypt closed-beta cert for use on Amazon CloudFront, without involving Elastic Beanstalk. I'm running the POSH files on Windows 10. Here are some questions and feedback on the process.

1. Is there a way to obtain the "cert chain" for use with AWS, such that the result is publicly trusted? Probably this is a feature request for Get-ACMECertificate, to have a way to write out the cert chain file, in case someone wants to use AWS command line interface "CLI" directly. What I did was to use Notepad to combine the isrgrootx1.pem and letsencryptauthorityx1.pem (downloaded from letsencrypt.org) into a "chain" file, and included that file in the upload to AWS CloudFront (using AWS CLI). All that was accepted by CloudFront and -- retesting a few minutes ago -- the end result seems 100% okay (this is a big improvement compared to testing last week).
2. The reason I used AWS CLI is that I got stuck on the very last steps of the example syntax for the AWS certs. In particular,

Install-ACMECertificateToAWS

gave me this yesterday:

Get-ACMECertificate : The file 'C:(snip)\tmp4F87.tmp' already exists.
At (snip)letsencrypt-win\letsencrypt-win\LetsEncrypt.ACME.POSH\ACMEPowerShell-AWS\ACMEPowerShell-AWS.psm1:73 char:2

• Get-ACMECertificate    -Ref $Certificate `
  

• ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [Get-ACMECertificate], IOException
  • FullyQualifiedErrorId : System.IO.IOException,LetsEncrypt.ACME.POSH.GetCertificate

SerialNumber : 009813F47513E5750B43E7431E971E44BD
Thumbprint : 3EAE91937EC85D74483FF4B77B07B43E2AF36BF4
Signature : 3EAE91937EC85D74483FF4B77B07B43E2AF36BF4
SignatureAlgorithm : sha256RSA
CrtPemFile : ca-009813F47513E5750B43E7431E971E44BD-crt.pem
CrtDerFile : ca-009813F47513E5750B43E7431E971E44BD-crt.der

Publish-IAMServerCertificate : A parameter cannot be found that matches parameter name 'Credentials'.
At (snip)\letsencrypt-win\letsencrypt-win\LetsEncrypt.ACME.POSH\ACMEPowerShell-AWS\ACMEPowerShell-AWS.psm1:140 char:57

• ... $awsCertMeta = Publish-IAMServerCertificate @apiArgs @awsBaseArgs

•                                                          ~~~~~~~~~~~~
  

  • CategoryInfo : InvalidArgument: (:) [Publish-IAMServerCertificate], ParameterBindingException
  • FullyQualifiedErrorId : NamedParameterNotFound,Amazon.PowerShell.Cmdlets.IAM.PublishIAMServerCertificateCmdlet

1. This last issue is 100% repeatable across ~15 AWS cert attempts. Every time after

Complete-ACMEChallenge

it turns out that I have to adjust properties on the /.well-known/ acme challenge file with a public ACL, and then continue with the next step, Submit-ACMEChallenge. I find that both parent "folders" are public but the challenge file itself is not public.

I hope all this info helps! I am fairly new to github so please tell me if I should be sending this type of info through another channel.

I've documented how the new Vault Provider and Profile model will work in an upcoming change that will be merged very soon.

The documentation is here: Vaults, Vault Providers and Vault Profiles

Please review and provide any feedback on this ticket, thanks.

Hi, I get the following error when try to submit a certificate request on production.

ACMESharp.AcmeClient+AcmeWebException: Unexpected error ---> System.Net.WebException:
Remote Server return an error: (429) Unknown.
at System.Net.HttpWebRequest.GetResponse()
at ACMESharp.AcmeClient.RequestHttpPost(Uri uri, Object message) at C:\ACMESharp\ACMESharp\ACMESharp\AcmeClient.cs:line 576
σε ACMESharp.AcmeClient.RequestCertificate(String csrContent) at C:\ACMESharp\ACMESharp\ACMESharp
\AcmeClient.cs:line 449
at ACMESharp.POSH.SubmitCertificate.ProcessRecord() at C:\ACMESharp\ACMESharp\ACMESharp.POSH\SubmitCertificate.cs:line 136

Some days ago, the production server worked. I don't get this exception on STAGING environment.
Is something broken?

Hi,

File ManualWebServerProvider.cs

Line 21 : path = Path.GetTempFileName();

Include the documentation of Microsoft, this method create a tmp file

but

Line 29 : using (var fs = new FileStream(path, FileMode.CreateNew))

Include the documentation of microsoft, the enumeration FileMode.CreateNew throw a exception if the file exists and in this case the file already exists and a exception is throw.

Need to rename the project and C# namespaces to use ACMESharp instead of letsencrypt-win and LetsEncrypt.ACME respectively.

As per this comment it would be nice to support more versions of PowerShell and the .NET framework.

Currently, le-win is being developed on PowerShell 4 which is available by default for Win2012R2 and Win 8.1. This also implies a requirement for .NET 4.5.

PowerShell and .NET compatibility requirements are found here.

Your Example-Usage Wiki [at https://github.com/ebekker/ACMESharp/wiki/Example-Usage] has Import-Module ACMEPowerShell as almost the first step. Many PowerShell admins will assume that this should work after downloading your git project. It took me a while to find the other url where "artifacts" can be downloaded that include a working .dll. Suggest adding instructions for PowerShell users who do not have a Visual Studio background on where they can download a compiled package so that the command Import-Module ACMEPowerShell works.

Please provide more detailed help output when running help *command* -full from a PowerShell console.

Running Initialize-ACMEVault with the '-verbose' parameter does not output any verbose information. Suggest adding at least one verbose message in there so users feel comforted.

Running New-ACMERegistration with the -verbose parameter does not output any verbose information. Suggest adding at least one verbose message in there so users feel comforted.

Running New-ACMERegistration and providing random characters for the -contacts parameter results in a generic 'Unexpected error'. Suggest providing examples of formats that the contacts parameter accepts in the error output.

Running New-ACMERegistration and providing a valid -contacts mailto:[email protected] parameter initially resulted in a New-ACMERegistration : Unexpected error message for me. I had to resort to installing Fiddler in order to capture https traffic to determine that the error returned by the ACME server was actually detail=Error creating new registration :: Validation of contact mailto:[email protected] failed: Server failure at resolver. Please consider echoing the error message returned by the ACME server to the powershell error message. I was able to continue by using a different e-mail address.

Running commands such as New-ACMERegistration and Get-ACMEIdentifier when the current directory is not c:\Vault results in the following error message New-ACMERegistration : Vault root path does not contain vault data. Can that be changed to be something like Current directory does not contain vault data, please change into a vault directory or specify a vault directory with -VaultProfile

The wiki appears to skip a few steps in the 'Defining Providers' section. The line Submit-ACMEChallenge -Ref dns1 -Challenge http-01 mentions '-Challenge http-01' but the identifier 'http-01' is not mentioned ahead of time. Not sure where you got that from.

Also, I personally would love an example of how to perform a 'manualDnsProvider' process. The json that pops up when I run New-ACMEProviderConfig -DnsProvider Manual is fairly basic and doesn't hint at what I should do next. (also, running New-ACMEProviderConfig -verbose doesn't output any verbose messages :) )

That's as far as I got tonight. Thank you for reading this report.

I'm following this tutorial:

https://cultiv.nl/blog/lets-encrypt-on-windows/

but when I get to the Submit-ACMEChallenge statement, this is what I get:

Submit-ACMECertificate : Unexpected error

• $certificateInfo = Submit-ACMECertificate -Ref cert1

•                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [Submit-ACMECertificate], AcmeWebException
  • FullyQualifiedErrorId : ACMESharp.AcmeClient+AcmeWebException,ACMESharp.POSH.SubmitCertificate

How can I fix it?

Based on the initial feedback and observations in #10, an obvious improvement would be to add a new HTTP challenge-handling provider that will address some very common use cases for a local IIS server:

• Configuration should point to a site's root folder
• Test and warn if the current context is not running with elevated privileges which may prevent the process from writing to the target destination under IIS default site root.
• Create the necessary folder structure as presecribed by ACME spec and write the challenge response out to a file named as per the challenge response. This should eliminate most manual steps and have the site ready for validation by the ACME server.
• Generate a local win.config file that resolves the IIS default error response when serving up files without an extension.