[Feature] - Implement Auto renewal about certify HOT 15 CLOSED

Auto renewal is now available in the v2 alpha release. Note that if you redirect to https you must redirect the whole path so that http://domain.com/.well-known redirects to https://domain.com/.well-known for the Lets Encrypt service to follow the redirect.

from certify.

Closing. Now implemented and confirmed working.

from certify.

I just wanted add some feedback here and considerations.

I had to initially disable all rewrite rules to redirect to SSL in order for LE check the acme-challenge files. I had out of date certificates from StartCom.. booooo.. I know. But LE verification did not seem to like the expired certification, or being redirected to HTTPS :(

Just for consideration.. It would be nice to be able to set how many hours before expiration the new cert should be requested to avoid broken certs and LE failing to validate.

I always rewrite to HTTPS and WWW - Other people may not have this problem and allow non SSL access which is not a problem.

from certify.

Also, If a website no longer exists in IIS we shouldn't try and renew it and should instead flag it in the UI.

from certify.

Maybe have a look at https://github.com/Lone-Coder/letsencrypt-win-simple/blob/master/letsencrypt-win-simple/Program.cs#L983, can be used under apache 2.0 licence https://tldrlegal.com/license/apache-license-2.0-(apache-2.0)

from certify.

@Barokai thanks, both projects actually use ACMESharp libraries to talk to letsencypt - Certify uses the powershell modules and le-win-simple uses the library directly, le-win-simple is indeed a very good choice for anyone happy to work at the command line.

from certify.

Is the idea that this would be a separate Windows Service application that will periodically check for expiration?

from certify.

Yes, the branch gui-revisions is a start on splitting out the relevant code, it also starts to add a command line. I'm undecided as yet as to whether this should just be a command line that gets called as a scheduled task or use a full windows service.

from certify.

If you only need to check certs for renewal once a day (or less frequently), then I'd say a scheduled task is the way to go. If you need to handle events at any time, then you want the Windows service.

from certify.

Any updates on this?

from certify.

It's a work in progress, we currently have a pressing issue where requests/renewals cause the app to crash on some machines but not others (it's doesn't crash for me at all). once that's resolved I can go back to the refactoring required to get this going properly.

The current plan is that when you first (successfully) request a certificate you will get to add it to the auto-renewal list. Different sites may have different techniques required for the renewal so we have to consider that. The auto-renewal will then be kicked off periodically (probably every day) as a single scheduled tasks. The auto-renewal itself is easy enough, the problem comes when the renewal fails and you have to tell somebody (otherwise the site will then fail when the cert expires), so I would like to get that covered from the outset.

from certify.

Thanks for the work on this! I'm really looking forward to it. Is it possible for us to run a alpha/beta build to test on our own servers?

from certify.

@Concept211 as Certify is still an alpha release the download on the website is the latest available code for testing, for info there is a new branch in the works for auto-renew and multi-domain certs https://github.com/webprofusion/certify/tree/san-and-auto-renew

from certify.

Thanks! So there's still no actual build available for the auto-renew branch?

from certify.

Looks awesome!

from certify.