Exception has been raised during certificate issuance. about acme-server-adcs HOT 19 CLOSED

Exactly - the AppPoolIdentity is used for all requests to the ADCS and thus need proper permissions.

from acme-server-adcs.

First you can take a look into the Event log of the web server - it might contain further information.
Second you should take a look into the adcs server event and security logs - it'll tell you why it won't issue certificates.

from acme-server-adcs.

Thanks for your reply bu I have nothing in my Webserver log and I'm gonna take a look in the ADCS logs.

I come back to you when I have more informations :)

from acme-server-adcs.

I have my response, it's the user that can't create the certificate. To change the user that make the request I need to modify the user in the IIS-APP Pool ?

Thanks.

from acme-server-adcs.

Hello,
I have changed the account in the App-Pool configuration but now i've the same error but now I don't have any ADCS logs anymore.

Is this normal ?

from acme-server-adcs.

Does ACME-ADCS still run with the new Identity?
You should be able to request the path '/' for the service description.
Also I, ACME-ADCS will log rather extensively, if you enable debug logging - but the account needs proper write permissions for your logging target.
If nothing helps, Asp.net core will (most times) log into the event log.
If that also does not help, you can redirect the stdout of aspnet core via web.config.

from acme-server-adcs.

When I call "/"I get this {"newNonce":"http://svname/new-nonce","newAccount":"http://svname/new-account","newOrder":"http://svname/new-order","meta":{"externalAccountRequired":false}}

Can I ask you what "externalAccountRequired" mean ?

I think it might be the problem ?

And yes my app still run with my account (for the moment) that have right to write in the template that I give him.

In the APP log I got that
{"@t":"2023-10-19T07:02:59.1274635Z","@m":"Try to issue certificate for CSR: CSR HERE","@i":"317fe2e9","@l":"Debug","SourceContext":"TGIT.ACME.Protocol.IssuanceServices.ADCS.CertificateIssuer"}
{"@t":"2023-10-19T07:02:59.2202465Z","@m":"Exception has been raised during certificate issuance.","@i":"34777d5d","@l":"Error","@x":"System.ArgumentException: CCertRequest::Submit: Paramètre incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)\r\n at CERTCLILib.CCertRequestClass.Submit(Int32 Flags, String strRequest, String strAttributes, String strConfig)\r\n at TGIT.ACME.Protocol.IssuanceServices.ADCS.CertificateIssuer.IssueCertificate(String csr, CancellationToken cancellationToken)

from acme-server-adcs.

Hm - the message is very broad.
Nevertheless I would assume that to be showing up at the ADCS (at least in Debug logs?)
Only thing I found with my GoogleFu was a hint that the template might not be correct.

Perhaps you can logon as that user and check, if you would be able to get that certificate via mmc (to make sure the user / certificate are a valid combination)?

from acme-server-adcs.

I try that and I come back to you.

Thanks for the help !

from acme-server-adcs.

Hello,

After trying with an account that have all privileges I can't issue the cert with ACME. I think it comes beacause of the CSR, or fields that are not completed in the ADCS. Because I have the same error.

Did you know how I should configure this template ?

from acme-server-adcs.

I've always been using a copy of the Web Server Template and that worked fine, IIRC (I used ACME-PS for general testing, but also made sure it works with certbot here).
It might be possible, that you need a CN, which is not necessarily set by e.g. certbot (or a template that does not require a CN to be present)

from acme-server-adcs.

Running into the same issue.
Windows Server 2022, ACME-ADCS 1.0.3-beta, Dotnet 6 LTS.

System.ArgumentException: CCertRequest::Submit: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)\r\n   at CERTCLILib.CCertRequestClass.Submit(Int32 Flags, String strRequest, String strAttributes, String strConfig)\r\n   at TGIT.ACME.Protocol.IssuanceServices.ADCS.CertificateIssuer.IssueCertificate(String csr, CancellationToken cancellationToken) in E:\\Dev\\ACME-Server-ADCS\\src\\ACME.CertProvider.ADCS\\CertificateIssuer.cs:line 37","SourceContext":"TGIT.ACME.Protocol.IssuanceServices.ADCS.CertificateIssuer"}

Tried it with cert-manager and acme.sh

When setting up I assume I'm doing the right thing by setting the user in the pool's identity option, right?

I tried manually signing the CSR using certreq -submit -attrib CertificateTemplate:Webserver as same user that was set in the IIS identity field. That worked for me. 🤔

from acme-server-adcs.

That seems fine - I add a line of logging to be sure, the attributes for the request are properly set (V1.0.4)

from acme-server-adcs.

After updating to 1.0.4 I now have the same behavior as described in: #14

(Also: yes also using acme.sh for testing purposes)

from acme-server-adcs.

from acme-server-adcs.

I don't get it, why would that be needed? acme.sh is setting the cname in the CSR.
And also, it doesn't fix anything setting "AllowEmptyCN": to true/false.

from acme-server-adcs.

Hello after updating to 1.0.4, I get this error : "Detected TGIT.ACME.Protocol.Model.Exceptions.MalformedRequestException. Converting to BadRequest.". It happend when requesting the "/new-order" path. Did this have a link with the current issue ?

from acme-server-adcs.

Nevermind, it was a dumb configuration error.....
The model name was invalid

Thanks for the help anyways.
Have a good day !

from acme-server-adcs.

Hi there, I'm happy I could help by doing nothing 😄
But very good, it's working for you again.

from acme-server-adcs.