ridercz / autoacme Goto Github PK

Hi,
the renew is failing for me for some time and I cannot find why. Another thing is, that if it fail, the host is removed from the config, thus I need to re-add it again.

The end of the output is this:

   Completing challenge...OK
    Waiting for authorization...OK
    Deleting challenge from C:\InetPub\wwwroot\AutoAcme\xxxxxxxxxxxxxx ...OK
  Processing certificate:
    Requesting certificate...Renewal failed: One or more errors occurred.
  Loading hosts expired at least 30 days ago...OK, 1 hosts to purge:
    Host XXXX.XXX.XXX expired 32 days ago (22. listopadu 2017)
      Deleting from database...OK
      Deleting files:
        Deleting file C:\CertStore\PFX\xxxx.xxx.xxx.pfx...OK
  Saving configuration to 'C:\AutoACME\autoacme.json'...OK

How can I enable some verbose mode to see more info?

Hi,

I am having some problems with getting this certificate installed. We are trying to implement DirectAccess
and so we need to install public ssl certificates to make this work. I have a public domain (da.voltechrebuilders.com) pointing to my corporate network public IP (A and AAAA record pointing to my IP4 and IP6 address respectively), which is then forwarded to the web server on my network . I can reach the IIS default site from the internet just fine. Since we are doing this to deploy DirectAccess we don't have an actual website and so I am doing all this with the default website.

Here is my attempt at getting a certificate (trying multiple times, always the same result):

C:\CertStore\AutoACME>autoacme addhost da.voltechrebuilders.com
Altairis AutoACME Manager version 1.5.4.0
Copyright (c) Michal A. Valasek - Altairis, 2017
www.autoacme.net | www.rider.cz | www.altairis.cz

Reading configuration from 'C:\CertStore\AutoACME\autoacme.json'...OK
Checking host...OK
Requesting cerificate for da.voltechrebuilders.com:
Accepting TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf...OK
Testing authorization:
Writing challenge to C:\InetPub\wwwroot\AutoAcme\probe_032d6b95-b1af-4eef-a88e-2abefdbd3bdd...OK
Testing HTTP challenge:
Preparing request to http://da.voltechrebuilders.com/.well-known/acme-challenge/probe_032d6b95-b1af-4eef-a88e-2abefdbd3bdd...OK
Getting response...OK
Reading response...OK
OK: Status code 200
OK: Content-Type header
OK: Expected response received
Deleting challenge from C:\InetPub\wwwroot\AutoAcme\probe_032d6b95-b1af-4eef-a88e-2abefdbd3bdd...OK
Getting authorization:
Creating authorization request...OK, the following is request URI:
https://acme-v01.api.letsencrypt.org/acme/authz/Wy7pKIOTpJiEm1ZaOEW6NX9c-8xTEz6okf6AAFacNAo
Getting challenge...OK, the following is challenge URI:
https://acme-v01.api.letsencrypt.org/acme/challenge/Wy7pKIOTpJiEm1ZaOEW6NX9c-8xTEz6okf6AAFacNAo/6292277342
Writing challenge to C:\InetPub\wwwroot\AutoAcme\KYJ5xdpeJMVC4-Vu6s_CNLlS6RmkUMMHaVb_WgguCjo...OK
Completing challenge...OK
Waiting for authorization.....Failed!
Last known status: invalid
Deleting challenge from C:\InetPub\wwwroot\AutoAcme\KYJ5xdpeJMVC4-Vu6s_CNLlS6RmkUMMHaVb_WgguCjo...OK
Request failed: One or more errors occurred.
Failed!
Unable to get certificate for new host.

Can anyone help, I am at a loss!!!

Hi,

your release has a problem with System.Net.Http:
Could not load file or assembly 'System.Net.Http, Version=4.2.0.0

Full Msg:
Unbehandelte Ausnahme: System.IO.FileLoadException: Die Datei oder Assembly "System.Net.Http, Version=4.2.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" oder eine Abhängigkeit davon wurde nicht gefunden. Die gefundene Manifestdefinition der Assembly stimmt nicht mit dem Assemblyverweis überein. (Ausnahme von HRESULT: 0x80131040)
bei Altairis.AutoAcme.Core.AutoAcmeContext..ctor(Uri serverAddress)
bei Altairis.AutoAcme.Manager.Program.InitCfg(Boolean useDefaults, String cfgFileName, Boolean overwrite, Boolean verbose)
bei lambda_method(Closure , Object , Object[] )
bei NConsoler.Consolery.InvokeMethod(MethodInfo method)
bei NConsoler.Consolery.RunAction()
bei NConsoler.Consolery.Run(Type targetType, String[] args, IMessenger messenger, Notation notationType)
bei NConsoler.Consolery.Run()
bei Altairis.AutoAcme.Manager.Program.Main(String[] args)

1.5.4 still work's great.

Hi there,
I am following the instructions:https://github.com/ridercz/AutoACME/wiki/Getting-started-with-AutoAcme
the iis rewrite url rule is not work perfectly, but autoacme is not create file, its reason for 404 i think.

Hello,

there is an issue with the remote name 'acme-v02.api.letsencrypt.org'. See the error message below:

Creating registration for '[email protected]' and accept TOS...
Unhandled Exception: System.AggregateException: One or more errors occurred. ---
> System.Net.Http.HttpRequestException: An error occurred while sending the requ
est. ---> System.Net.WebException: The remote name could not be resolved: 'acme-
v02.api.letsencrypt.org'
   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNot
ification(Task task)
   at Certes.Acme.AcmeHttpClient.<Get>d__12`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNot
ification(Task task)
   at Certes.AcmeContext.<GetDirectory>d__20.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNot
ification(Task task)
   at Certes.IAcmeContextExtensions.<GetResourceUri>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNot
ification(Task task)
   at Certes.Acme.AccountContext.<NewAccount>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNot
ification(Task task)
   at Certes.AcmeContext.<NewAccount>d__19.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNot
ification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAw
aiter.GetResult()
   at Altairis.AutoAcme.Core.AutoAcmeContext.<RegisterAndLoginAsync>d__21.MoveNe
xt()
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceled
Exceptions)
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotifica
tion)
   at System.Threading.Tasks.Task`1.get_Result()
   at Altairis.AutoAcme.Core.AutoAcmeContext.RegisterAndLogin(String email)
   at Altairis.AutoAcme.Manager.Program.InitCfg(Boolean useDefaults, String cfgF
ileName, Boolean overwrite, Boolean verbose)
   at lambda_method(Closure , Object , Object[] )
   at NConsoler.Consolery.InvokeMethod(MethodInfo method)
   at NConsoler.Consolery.RunAction()
   at NConsoler.Consolery.Run(Type targetType, String[] args, IMessenger messeng
er, Notation notationType)
   at NConsoler.Consolery.Run()
   at Altairis.AutoAcme.Manager.Program.Main(String[] args)

When following instruction, failed to setup with initcfg. Here is an error:

Checking current H:\CertStore\AutoACME\ChallengeFolder\web.config...OK
Saving H:\CertStore\AutoACME\ChallengeFolder\web.config...OK
Creating registration for '[email protected]' and accept TOS...OK

Unhandled Exception: System.AggregateException: One or more errors occurred. ---

System.NullReferenceException: Object reference not set to an instance of an o
bject.
at Altairis.AutoAcme.Core.AutoAcmeContext.d__21.MoveNe
xt()
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceled
Exceptions)
at System.Threading.Tasks.Task1.GetResultCore(Boolean waitCompletionNotifica tion) at System.Threading.Tasks.Task1.get_Result()
at Altairis.AutoAcme.Core.AutoAcmeContext.RegisterAndLogin(String email)
at Altairis.AutoAcme.Manager.Program.InitCfg(Boolean useDefaults, String cfgF
ileName, Boolean overwrite, Boolean verbose)
at lambda_method(Closure , Object , Object[] )
at NConsoler.Consolery.InvokeMethod(MethodInfo method)
at NConsoler.Consolery.RunAction()
at NConsoler.Consolery.Run(Type targetType, String[] args, IMessenger messeng
er, Notation notationType)
at NConsoler.Consolery.Run()
at Altairis.AutoAcme.Manager.Program.Main(String[] args)

on the page https://github.com/ridercz/AutoACME/wiki/Getting-started-with-AutoAcme

section: Request and receive certificate from Let's Encrypt

sample command "autoacme www.example.com" is wrong.
This is the correct one: "autoacme addhost www.example.com"

Hi Ridercz,

We need wildcard certificates. Will you implement that?
https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605

Hi,

Let's say I own a domain "site.eu". In my IIS there are (among others) two separate WebSites:

• SiteEuWww (D:\WebSites\SiteEu\www)
• SiteEuNoWww (D:\WebSites\SiteEu\nowww)

The www directory is the root directory of my website. The nowww directory contains only a Web.Config file managing 301 redirects from no-www to www (<httpRedirect enabled="true" destination="https://www.site.eu" httpResponseStatus="Permanent" />). The site already uses a paid SSL certificate and I want to switch to Let's encrypt now.

Bindigs are set as follows:

• https://www.site.eu/ ==> SiteEuWww (website content)
• http://www.site.eu/ ==> SiteEuNoWww (301 redirect to https://www.site.eu/)
• http://site.eu/ ==> SiteEuNoWww (301 redirect to https://www.site.eu/)
• https://site.eu/ ==> SiteEuNoWww (301 redirect to https://www.site.eu/)

When I try to request for a new certificate file (autoacme addhost www.site.eu) for the first time, the attempt to open an url address http://www.site.eu/.well-known/acme-challenge/ ends up with an error 404. I think that the url http://www.site.eu/.well-known/acme-challenge/ redirects to https://www.site.eu/.well-known/acme-challenge/ and now the error 404 occurs. I think the request does not go through the Url Rewrite module in IIS at this case.

Is there anything I can do to make it work in this scenario?

It sould not expand to ./ , better expand to ./AutoACME-[VERSION] or someting like that

Because of that, it was necessary to cleanup my download folder step-by-step which is a waste of time...

On a server where everything worked fine before, I am now getting errors:.
Getting response...Failed
Unable to connect to the remote server

I inserted a test.txt in c:\InetPub\wwwroot\AutoAcme and can download it as http://localhost/AutoAcme/test.txt (locally)
and
as
http:///.well-known/acme-challenge/test.txt (from other locations)
The same for the probe documents that appear when written in the C:\inetpub\wwwroot\AutoACME

My certificates are due to expire at the end of next week. I would appreciate any help to debug what's wrong.
Pieter

The reverse proxy instructions should be updated to handle sites that are completely behind authentication. The /.well-known/ url will not be able to get through with forms and windows auth.

Is there an option to obtain an EC certificate from LE with autoacme? All ciphers used by IIS with RSA certs (at least under Windows 2012 r2) are considered weak by Qualys SSL Labs. IIS does not use EC ciphers without EC certificates.
BTW there is an undocumented option "KeyAlgorithm": "RS256" in a config file, but I do not know if and how we could use it.

Is there wild card support? If not when?

Current (1.x) version of AutoACME is using ACME v1 protocol. Let's Encrypt now launched in production the ACME v2 and although there are no plans to retire v1 in foreseeable future, I'm starting to work on AutoACME v2 as well. This issue is a point for discussion about design and features.

What will remain:

• Use of CCS and URL rewriting
• JSON configuration file as a hosts database
• Fully automated operation after initial setup

What will change:

• Switch to for ACME v2 protocol
• Support for certificates with multiple host names (SAN) to help overcome rate limiting
• Support for certificate revocation
• Very likely will rewrite it in .NET Core

The main feature, and also the main problem, is the SAN certs support. I avoided it in the current version for many good reasons. The rate limiting LE started to impose some time ago is a game changer, though. I'm not sure about how to approach it. There are two ways I'm thinking about right now.

First is fully manual approach. AutoACME would allow you to attach the alternative host names to parent one and would not do any kind of automatic grouping.

Second is some kind if intelligence. Ie. AutoACME will try to group host names by domain (ie. www.example.com, example.com and shop.example.com would be grouped together with the shortest variant as common name). It could also group multiple TLDs (example.com, example.net and example.cz), but it's unnecessary from the rate limiting standpoint (the most crtitical limit is the 20 certificates per domain limit) and also there are some ugly exceptions to be taken into consideration (ccTLDs who don't let directly register a subdomain, but add additional suffix, like example.co.uk).

It would be awesome if there are a option to revoke certificates com the cli.

It should operate like delhost, but run the certificate revoke before delete files.

c:\CertStore\AutoACME>aasync addhosts
Reading configuration from 'autoacme.json'...OK
Getting bindings from 'localhost'...OK, 1 bindings found
Finding new hosts to add...OK
Accepting TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf...OK
Adding new host www.mydomain.com:
Testing authorization:
Writing challenge to C:\InetPub\wwwroot\AutoAcme\probe_74fcfabd-1f2f-4pdf-9f8f-0279e898c544...OK
Testing HTTP challenge:
Preparing request to http://www.mydomain.com/.well-known/acme-challenge/probe_74fcfabd-1f2f-4pdf-9f8f-0279e898c544...OK
Getting response...Failed!
The remote server returned an error: (404) Not Found.
Testing HTTPS challenge:
Preparing request to https://www.mydomain.com/.well-known/acme-challenge/probe_74fcfabd-1f2f-4pdf-9f8f-0279e898c544...OK
Getting response...Failed!
The underlying connection was closed: An unexpected error occurred on a send.
Deleting challenge from C:\InetPub\wwwroot\AutoAcme\probe_74fcfabd-1f2f-4pdf-9f8f-0279e898c544...OK
Request failed: One or more errors occurred.

Where is the problem?

Hi,
We have been using LetsEncrypt/AutoACME on one of our Windows 2016 web servers for over a year and manually renewing each 90 days. The cert expired today and ran the normal autoacme renew command, but receive the below error.

Reading configuration from 'C:\CertStore\AutoACME\AutoACME-1.6.2\autoacme.json'...OK
Loading hosts expiring in 30 days...OK, 1 hosts to renew
Accepting TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf...OK
Host remote.waterheadacademy.co.uk expired 1 days ago (07 December 2021)
Testing authorization:
Writing challenge to C:\InetPub\wwwroot\AutoAcme\probe_de2dabc6-6e8f-4ba8-b915-7afb954f0d74...OK
Testing HTTP challenge:
Preparing request to http://remote.waterheadacademy.co.uk/.well-known/acme-challenge/probe_de2dabc6-6e8f-4ba8-b915-7afb954f0d74...OK
Getting response...OK
Reading response...OK
OK: Status code 200
OK: Content-Type header
OK: Expected response received
Deleting challenge from C:\InetPub\wwwroot\AutoAcme\probe_de2dabc6-6e8f-4ba8-b915-7afb954f0d74...OK
Preparing order
Getting authorization:
Getting challenge...
OK, the following is DNS name:
remote.waterheadacademy.co.uk
Writing challenge to C:\InetPub\wwwroot\AutoAcme\YYrgraTd4dLkPGpq11Mrnzq3T9bpWshGsXHfwBoPPIs...OK
Completing challenge...Challenge Invalid: https://acme-v02.api.letsencrypt.org/acme/chall-v3/56406974780/xtN6Uw Fetching http://remote.waterheadacademy.co.uk/.well-known/acme-challenge/YYrgraTd4dLkPGpq11Mrnzq3T9bpWshGsXHfwBoPPIs: Timeout during connect (likely firewall problem)
Failed
Deleting challenge from C:\InetPub\wwwroot\AutoAcme\YYrgraTd4dLkPGpq11Mrnzq3T9bpWshGsXHfwBoPPIs...OK
Renewal failed!
Authorization failed with status False

Port 80 appears to be open as I can put test files into the .well-known directory and it appears fine in the browser.
I'm not sure what else to try or could there be an issue with the AutoAcme infrastructure at the moment...

Any help would be appreciated.

Thank you

I've been using AutoACME for over a year without a hitch on my Windows Server 2012 R2 server. In the last week, I just noticed my certificate wasn't successfully renewing.

When I run 'autoacme maintenance' I'm getting the following:

Altairis AutoACME Manager version 1.6.2.0
Copyright ¸ Michal A. Val sek - Altairis and contributors, 2017-2019
www.autoacme.net | www.rider.cz | www.altairis.cz

Reading configuration from 'C:\Scripts\CertStore\AutoACME\autoacme.json'...OK
Loading hosts expiring in 30 days...OK, 1 hosts to renew
Accepting TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf...OK
Host anthonyb.no-ip.biz expires in 19 days (Sunday, 25 August 2019)
  Testing authorization:
    Writing challenge to C:\InetPub\wwwroot\AutoAcme\probe_dc8e482f-4a21-485e-9687-3247228eebe8...OK
    Testing HTTP challenge:
      Preparing request to http://anthonyb.no-ip.biz/.well-known/acme-challenge/probe_dc8e482f-4a21-485e-9687-3247228eebe8...OK
      Getting response...OK
      Reading response...OK
        OK: Status code 200
        OK: Content-Type header
        OK: Expected response received
    Deleting challenge from C:\InetPub\wwwroot\AutoAcme\probe_dc8e482f-4a21-485e-9687-3247228eebe8...OK
  Preparing order
  Getting authorization:
    Getting challenge...
      OK, the following is DNS name:
        anthonyb.no-ip.biz
        Writing challenge to C:\InetPub\wwwroot\AutoAcme\1qnCEm31-vSaOZUavBIggk7-eMWem3Vb9iTbtJyUSuE...OK
    Completing challenge...Challenge Invalid: https://acme-v02.api.letsencrypt.org/acme/challenge/1kh_4_oKzQpx5Xxk2h10hl5Nx7hevYHh_GEu09sqBF0/19176569488 Fetching http://anthonyb.no-ip.biz/.well-known/acme-challenge/1qnCEm31-vSaOZUavBIggk7-eMWem3Vb9iTbtJyUSuE: Timeout during connect (likely firewall problem)
    Failed
    Deleting challenge from C:\InetPub\wwwroot\AutoAcme\1qnCEm31-vSaOZUavBIggk7-eMWem3Vb9iTbtJyUSuE...OK
  Renewal failed!
  Authorization failed with status False
Loading hosts expired at least 30 days ago...OK, no hosts to purge

I'm not aware of any config change on my side in the last 1-2 months.
Any suggestions on what might be causing my issue?

Many thanks in advance!

Hi Michal,

Being a former ASP.NET MVP and an rMVP now, I appreciate the AutoACME project and the time you put on it. Thanks for sharing.

I realize you have the following note on the documents:

Please note known bug: The IIS Manager GUI would show error icons in list of PFX files in Centralized Certificate Store management. This is known issue affecting only the management UI, not functionality!

I, personally, don't mind a UI bug but that screen gives a very important information about certificates which is when they would expire.

Are you aware of the root cause of the bug? Is there anything I can do to help you to fix it? A PR, research, debugging?

I've just gone through the setup and the script is failing on the probe test on my system:

C:\Scripts\CertStore\AutoACME>autoacme addhost anthonyb.no-ip.biz
Altairis AutoACME Manager version 1.5.4.0
Copyright (c) Michal A. Valasek - Altairis, 2017
www.autoacme.net | www.rider.cz | www.altairis.cz

Reading configuration from 'C:\Scripts\CertStore\AutoACME\autoacme.json'...OK
Checking host...OK
Requesting cerificate for anthonyb.no-ip.biz:
  Accepting TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf...OK
  Testing authorization:
    Writing challenge to C:\InetPub\wwwroot\AutoAcme\probe_b0775ef5-9764-4a0c-a130-4eb8c1c2381e...OK
    Testing HTTP challenge:
      Preparing request to http://anthonyb.no-ip.biz/.well-known/acme-challenge/probe_b0775ef5-9764-4a0c-a130-4eb8c1c2381e...OK
      Getting response...Failed!
      The remote server returned an error: (404) Not Found.
    Testing HTTPS challenge:
      Preparing request to https://anthonyb.no-ip.biz/.well-known/acme-challenge/probe_b0775ef5-9764-4a0c-a130-4eb8c1c2381e...OK
      Getting response...Failed!
      Unable to connect to the remote server
    Deleting challenge from C:\InetPub\wwwroot\AutoAcme\probe_b0775ef5-9764-4a0c-a130-4eb8c1c2381e...OK
  Request failed: One or more errors occurred.
  Failed!
  Unable to get certificate for new host.

I've dropped a configcheck text file in the C:\inetpub\wwwroot\AutoACME folder for testing.
If I browse directly to https://anthonyb.no-ip.biz/AutoACME/configcheck then the text file contents are shown, i.e. test works.
If I browse to https://anthonyb.no-ip.biz/.well-known/acme-challenge/configcheck then I get HTTP Error 404
I've also tried with and without the web.config file in the AutoACME folder as I've seen IIS sometimes throw HTTP 500s but it made no difference.

My system is Windows Server 2012 R2 / IIS 8.5 with all current public Windows Update patches installed.
The AutoACME.json file produced by the script config looks fine based on comparison to the docs.

Any thoughts on what I can check next to work out why this is failing on, what looks to be, the URL re-write?

To resolve the following IIS error;

Cannot add duplicate collection entry of type ‘mimeMap’ with unique key attribute ‘fileExtension’ set to ‘.’

I needed to add the following line to the generated web.config

<remove fileExtension="." />

Perhaps its worth adding this by default?

<configuration>
  <system.webServer>
    <staticContent>
      <!--
        ACME server requires that the verification file is served either without
        Content-Type header or with "text/json". This setting ensures that.
      -->
      <remove fileExtension="." />
      <mimeMap fileExtension="." mimeType="text/json" />
    </staticContent>
  </system.webServer>
</configuration>

Great work by the way and thanks for the clear step by step instructions!

Hey!
I am using autoACME and we're very happy with it for IIS. We also have a mailserver (hMailserver to be precise) and I would also like to use the let's encrypt certificate for that.
Unfortunately the certificate is missing the full chain which makes it much harder to use the certificates on for other services.
Maybe it's enough to make AcmeContext.cs:98 configurable. In the end hMailserver requires the certificate as a textfile, not PFX but maybe it works.

Is this something which you might consider? Like a parameter e.g. fullchain=true?

Even if not, thanks a lot for this piece of software!
Best regards,
Boris

At the moment I don't see a commandline option for supporting this, but it would be great!

Is it possible to allow challenge URLs to be on a configurable port?

I am attempting to use AutoACME to get a certificate for a site (http://scratchpaste.com).

I have configured AutoACME using LE Production (for my first attempt) and LE Stage Server(s) for my second attempt.

Both attempts failed at the same step. Can you please look at the request below to see if there are any clues or any obvious steps I missed in configuring this?

Thanks!

`C:\CertStore\AutoACME>autoacme addhost scratchpaste.com
Altairis AutoACME Manager version 1.5.4.0
Copyright (c) Michal A. Valasek - Altairis, 2017
www.autoacme.net | www.rider.cz | www.altairis.cz

Reading configuration from 'C:\CertStore\AutoACME\autoacme.json'...OK
Checking host...OK
Requesting cerificate for scratchpaste.com:
Accepting TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf...OK
Testing authorization:
Writing challenge to C:\InetPub\wwwroot\AutoAcme\probe_6bc19e56-3f36-4183-ba33-c7e5693d6123...OK
Testing HTTP challenge:
Preparing request to http://scratchpaste.com/.well-known/acme-challenge/probe_6bc19e56-3f36-4183-ba33-c7e5693d6123...OK
Getting response...Failed!
The remote server returned an error: (404) Not Found.
Testing HTTPS challenge:
Preparing request to https://scratchpaste.com/.well-known/acme-challenge/probe_6bc19e56-3f36-4183-ba33-c7e5693d6123...OK
Getting response...Failed!
The underlying connection was closed: An unexpected error occurred on a send.
Deleting challenge from C:\InetPub\wwwroot\AutoAcme\probe_6bc19e56-3f36-4183-ba33-c7e5693d6123...OK
Request failed: One or more errors occurred.
Failed!
Unable to get certificate for new host.

C:\CertStore\AutoACME>`

I follow the guide ((https://github.com/ridercz/AutoACME/wiki/Getting-started-with-AutoAcme#HTTPS-setup) of getting started I'm to the point to excute autoacme addhost.
If I browse to :
http://localhost/autoACME/
I get a HTTP Error 403.14 - Forbidden.

I tried to put <directoryBrowse enabled="true" /> in the web.config and it succesfully open.

Also getting 404 error when excuting autoacme addhost.
Am I doing something wrong?

Any ideas, what I am doing wrong?

C:\CertStore\AutoACME>autoacme addhost firm24.com.ua /verbose
Altairis AutoACME Manager version 1.5.4.0
Copyright (c) Michal A. Valasek - Altairis, 2017
www.autoacme.net | www.rider.cz | www.altairis.cz

Reading configuration from 'C:\CertStore\AutoACME\autoacme.json'...OK
Checking host...OK
Requesting cerificate for firm24.com.ua:
  Accepting TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017
.pdf...OK
  Testing authorization:
    Writing challenge to C:\InetPub\wwwroot\AutoAcme\probe_b4299cc5-3271-4ede-b6
02-2fb7a0fe4d91...OK
    Testing HTTP challenge:
      Preparing request to http://firm24.com.ua/.well-known/acme-challenge/probe
_b4299cc5-3271-4ede-b602-2fb7a0fe4d91...OK
      Getting response...OK
      Reading response...OK
        OK: Status code 200
        OK: Content-Type header
        OK: Expected response received
    Deleting challenge from C:\InetPub\wwwroot\AutoAcme\probe_b4299cc5-3271-4ede
-b602-2fb7a0fe4d91...OK
  Getting authorization:
    Creating authorization request...OK, the following is request URI:
    https://acme-v01.api.letsencrypt.org/acme/authz/SzckWN9xnv71stH3FCzo4SUTNjgV
KT0lv2g1jadwx5I
    Getting challenge...OK, the following is challenge URI:
    https://acme-v01.api.letsencrypt.org/acme/challenge/SzckWN9xnv71stH3FCzo4SUT
NjgVKT0lv2g1jadwx5I/5387278631
    Writing challenge to C:\InetPub\wwwroot\AutoAcme\9p0CMVPAOZC47JXZYK_CyUN6K1H
orKdvVqgngoCgqXk...OK
    Completing challenge...Request failed: One or more errors occurred.


    System.AggregateException: One or more errors occurred. ---> System.Aggregat
eException: One or more errors occurred. ---> System.Exception: urn:acme:error:m
alformed: Unable to update challenge :: provided key authorization was incorrect
 (BadRequest)
   at Certes.AcmeClient.ThrowIfError[T](AcmeResponse`1 response)
   at Certes.AcmeClient.<CompleteChallenge>d__16.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNot
ification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at Altairis.AutoAcme.Core.AcmeContext.<GetAuthorization>d__18.MoveNext()
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceled
Exceptions)
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotifica
tion)
   at System.Threading.Tasks.Task`1.get_Result()
   at Altairis.AutoAcme.Core.AcmeContext.<GetCertificateAsync>d__14.MoveNext()
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceled
Exceptions)
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotifica
tion)
   at System.Threading.Tasks.Task`1.get_Result()
   at Altairis.AutoAcme.Core.AcmeContext.GetCertificate(String hostName, String
pfxPassword, Action`2 challengeCallback, Action`1 cleanupCallback, Boolean skipT
est)
   at Altairis.AutoAcme.Manager.Program.AddHost(String hostName, Boolean skipTes
t, String cfgFileName, Boolean verbose)
---> (Inner Exception #0) System.AggregateException: One or more errors occurred
. ---> System.Exception: urn:acme:error:malformed: Unable to update challenge ::
 provided key authorization was incorrect (BadRequest)
   at Certes.AcmeClient.ThrowIfError[T](AcmeResponse`1 response)
   at Certes.AcmeClient.<CompleteChallenge>d__16.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNot
ification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at Altairis.AutoAcme.Core.AcmeContext.<GetAuthorization>d__18.MoveNext()
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceled
Exceptions)
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotifica
tion)
   at System.Threading.Tasks.Task`1.get_Result()
   at Altairis.AutoAcme.Core.AcmeContext.<GetCertificateAsync>d__14.MoveNext()
---> (Inner Exception #0) System.Exception: urn:acme:error:malformed: Unable to
update challenge :: provided key authorization was incorrect (BadRequest)
   at Certes.AcmeClient.ThrowIfError[T](AcmeResponse`1 response)
   at Certes.AcmeClient.<CompleteChallenge>d__16.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNot
ification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at Altairis.AutoAcme.Core.AcmeContext.<GetAuthorization>d__18.MoveNext()<---
<---

    Failed!
    Unable to get certificate for new host.

Requesting a certificate no longer works because of changes in JSON in LetsEncrypt API - please refer to this issue at Certes project.

The issue has already been resolved, thus the only thing needed to fix the problem in AutoACME is updating Certes NuGet package to version 1.0.7.

Domain names which have unsupported characters should be IDN-encoded before processing (Punycode). This would be consistent with the IDN support in IIS.

Hi,

I have a Windows 2016 server running dozens of websites, many of them still using the .NET 2.0 framework. In some cases, the server side Url Redirecting (http(s)://www.site.eu/.well-known/acme-challenge/something ==> http://localhost/AutoACME/something) works just fine. But in other cases, the attempt to call an url like http(s)://www.site.eu/.well-known/acme-challenge/something ends up with the error 404 Not Found. I was trying to investigate why and it looks like this part of Web.Config file causes the problem:

<system.webServer>
  <modules runAllManagedModulesForAllRequests="true">
  </modules>
</system.webServer>

I need this to be set to true so url adresses without any extension (e.g. http(s)://www.site.eu/product-name) can be handled by the .Net Framework (2.0). Internally, these websites use Global.asax and Application_BeginRequest to handle "non-existing" urls.

Is there anything I can do to keep using <modules runAllManagedModulesForAllRequests="true"> and still be able to use the server side Url Redirecting and AutoACME?

Regards, Petr

Hi !

I'm try your solution but the URL rewriting does not work whit all applications.

With proget from Inedo the url rewrite is succesfull processing but the application still return 404.

I have encountered a problem trying to add a new host to the server in which it seems to be getting stuck right at the end:

Requesting cerificate for example.com:
  Accepting TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf...OK
  Testing authorization:
    Writing challenge to C:\Websites\AutoACME\autoACME\probe_2426f445-ac5a-43bc-8418-8564eec9d001...OK
    Testing HTTP challenge:
      Preparing request to http://example.com/.well-known/acme-challenge/probe_2426f445-ac5a-43bc-8418-8564eec9d001...OK
      Getting response...OK
      Reading response...OK
        OK: Status code 200
        OK: Content-Type header
        OK: Expected response received
    Deleting challenge from C:\Websites\AutoACME\autoACME\probe_2426f445-ac5a-43bc-8418-8564eec9d001...OK
  Getting authorization:
    Creating authorization request...OK, the following is request URI:
    https://acme-v01.api.letsencrypt.org/acme/authz/qtW814qPGbfyWnSB5-S3A3xafPRX_JBkM57nzky7KW0
    Getting challenge...OK, the following is challenge URI:
    https://acme-v01.api.letsencrypt.org/acme/challenge/qtW814qPGbfyWnSB5-S3A3xafPRX_JBkM57nzky7KW0/7897219451
    Writing challenge to C:\Websites\AutoACME\autoACME\FY_TrYtokAhf1kfzasVpiSA6N1yd6yDyYrceGkqRGow...OK
    Completing challenge...OK
    Waiting for authorization...OK
    Deleting challenge from C:\Websites\AutoACME\autoACME\FY_TrYtokAhf1kfzasVpiSA6N1yd6yDyYrceGkqRGow...OK
  Processing certificate:
    Requesting certificate...Request failed: One or more errors occurred.
    Failed!
    Unable to get certificate for new host.

Everything seems to be working and when I go to http://example/com/.well-known/acme-challenge/ likewise http://localhost/.well-known/acme-challenge/ also works just fine on the server.

But it seems to be stuck at the point it is requesting the certificate, any ideas?

Hello,
Can we know the detail of this error : "Waiting for authorization....Failed!" ?
Below is the output I've run. Thanks !

Checking host...OK
Requesting cerificate for www.devcovery.com:
Accepting TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf...OK
Testing authorization:
Writing challenge to C:\InetPub\wwwroot\AutoAcme\probe_2444acea-4aba-4748-bb29-dd4513ebaa93...OK
Testing HTTP challenge:
Preparing request to http://www.devcovery.com/.well-known/acme-challenge/probe_2444acea-4aba-4748-bb29-dd4513ebaa9
3...OK
Getting response...OK
Reading response...OK
OK: Status code 200
OK: Content-Type header
OK: Expected response received
Deleting challenge from C:\InetPub\wwwroot\AutoAcme\probe_2444acea-4aba-4748-bb29-dd4513ebaa93...OK
Getting authorization:
Creating authorization request...OK, the following is request URI:
https://acme-v01.api.letsencrypt.org/acme/authz/mSXykXd5FYIp-2vLIgr5yzp6YYQv25Ox2Sx53faB1mU
Getting challenge...OK, the following is challenge URI:
https://acme-v01.api.letsencrypt.org/acme/challenge/mSXykXd5FYIp-2vLIgr5yzp6YYQv25Ox2Sx53faB1mU/8805082239
Writing challenge to C:\InetPub\wwwroot\AutoAcme\ValhBgOmhYL_EO1zyarO0-DGs80BZyRQ8zmIY3-hzX8...OK
Completing challenge...OK
Waiting for authorization....Failed!
Last known status: invalid
Deleting challenge from C:\InetPub\wwwroot\AutoAcme\ValhBgOmhYL_EO1zyarO0-DGs80BZyRQ8zmIY3-hzX8...OK
Request failed: One or more errors occurred.
Failed!
Unable to get certificate for new host.

Getting bindings from 'localhost'...OK, 3 bindings found
Finding new hosts to add...OK
Accepting TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf...OK
Adding new host autoacme:
Testing authorization:
Writing challenge to C:\InetPub\wwwroot\AutoAcme\probe_593f9cf5-fdeb-4c21-a79c-e74ba0bfb4b6...OK
Testing HTTP challenge:
Preparing request to http://autoacme/.well-known/acme-challenge/probe_593f9cf5-fdeb-4c21-a79c-e74ba0bfb4b6...OK
Getting response...Failed!
The remote name could not be resolved: 'autoacme'
Testing HTTPS challenge:
Preparing request to https://autoacme/.well-known/acme-challenge/probe_593f9cf5-fdeb-4c21-a79c-e74ba0bfb4b6...OK
Getting response...Failed!
The remote name could not be resolved: 'autoacme'
Deleting challenge from C:\InetPub\wwwroot\AutoAcme\probe_593f9cf5-fdeb-4c21-a79c-e74ba0bfb4b6...OK
Request failed: One or more errors occurred.
Adding new host www.site.eu:
Testing authorization:
Writing challenge to C:\InetPub\wwwroot\AutoAcme\probe_7a750c76-a09c-473e-a8cb-4e4d19e923ee...OK
Testing HTTP challenge:
Preparing request to http://www.site.eu/.well-known/acme-challenge/probe_7a750c76-a09c-473e-a8cb-4e4d19e923ee...OK
Getting response...OK
Reading response...OK
OK: Status code 200
OK: Content-Type header
OK: Expected response received
Deleting challenge from C:\InetPub\wwwroot\AutoAcme\probe_7a750c76-a09c-473e-a8cb-4e4d19e923ee...OK
Getting authorization:
Creating authorization request...OK, the following is request URI:
https://acme-v01.api.letsencrypt.org/acme/authz/cK3BTWDh8oNBGPH70u0_6ljPyLcv389ekJwcv2tcoRQ
Getting challenge...OK, the following is challenge URI:
https://acme-v01.api.letsencrypt.org/acme/challenge/cK3BTWDh8oNBGPH70u0_6ljPyLcv389ekJwcv2tcoRQ/4075468712
Writing challenge to C:\InetPub\wwwroot\AutoAcme\q46NE3O0Wj9EuMvo71D2KhV1U_-dtcD43x6AjzWi94A...OK
Completing challenge...OK
Waiting for authorization......Failed!
Last known status: invalid
Deleting challenge from C:\InetPub\wwwroot\AutoAcme\q46NE3O0Wj9EuMvo71D2KhV1U_-dtcD43x6AjzWi94A...OK
Request failed: One or more errors occurred.

Where is the problem?

My ISP blocks port 80 so it looks like I can not use HTTP challenges at all.
Can the tool support DNS challenges?

Let's Encrypt Wildcard support as well ACME v2 protocol are live now
https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579

Can these be added to AutoACME?

Hello,
I was using your example in previous ACMEv1 with pleasure.
I need separate certificate and private key in CRT and PEM files for Unreal Media Server.
It worked fine with this code:
Dim pemFileName = Path.Combine(My.Settings.pemFolder, dr.Hostname & ".pem") Using f = File.Create(pemFileName) acmeCert.Key.Save(f) End Using Dim cert = New Security.Cryptography.X509Certificates.X509Certificate2(acmeCert.Raw) Dim crtFileName = Path.Combine(My.Settings.pemFolder, dr.Hostname & ".crt") Using f = File.CreateText(crtFileName) f.WriteLine("-----BEGIN CERTIFICATE-----") f.WriteLine(Convert.ToBase64String(cert.GetRawCertData(), Base64FormattingOptions.InsertLineBreaks)) f.WriteLine("-----END CERTIFICATE-----") End Using

Now I upgraded the code for ACMEv2 and I am not able to export correct PEM and CRT files.
PFX for IIS is working well.

Would you be so kind to help me?
Thank you very much
Mirek

Is there a recommended upgrade path? More specifically, going from an ACMEv1 version to 1.6.2.0 for ACMEv2, are changes needed to the json files to enable or force v2?

I must say that your project is great and want to say thank you. But there is a problem with maintenance algorithm.
A day ago I reached cert limit per group domain (I moved subdomain to another hosting and had problems with new cert), but my main domain had a valid cert. It automatically do maintenance every day.
It deleted my valid cert (which could still work for 30 days as far as I remember) and failed to acquire new cert. The limit is reset every 7 days and I had nothing to do, but to buy a commercial cert.
Is it possible not to delete cert (download cert with a different name) and if it fails just do nothing instead of deleting cert?