win-acme/win-acme

Windows ACME Simple (WACS)

A simple ACME client for Windows - for use with Let's Encrypt

Windows ACME Simple (WACS)

. (Formerly known as letsencrypt-win-simple (LEWS))

Overview

Please check our website for an up-to-date overview, documentation and downloads.

Community support

If you run into trouble you can open an issue. First please check to see if your issue is covered in the manual or reference. If you can't find a solition that way, describe the exact steps that you are taking and try to provide as much relevant information as possible, preferably including logging.

Professional support / sponsorship

Is your business relying on this program to secure customer websites and perhaps even critical infrastructure? Then maybe it would be good for your peace of mind then to sponsor one of its core developers, to gain guaranteed future support and good karma at the same time. I offer my help quickly, discreetly and professionally via Patreon.

Donations

Do you like the program and want to buy me a beer and discuss the future of the program in private? My Patreon also has some simple "Thank you" tiers, or if you prefer to do a one-time donation you can use Paypal.

Issues

Quick list of the latest Issues we found

neilsleightholm-paxton

neilsleightholm-paxton

possible bug
Icon For Comments0

Before you post Make sure to search through the issue list to check if others have reported the same bug already. If you find an existing issue, make your voice heard there. Your case may provide valueable extra clues towards a solution and will increase its priority.

Describe the bug When I add the Azure key vault plugin (plugin.store.keyvault.v2.1.19.1142.zip) I get the following error when running wacs (although it seem to run ok)

[EROR] Error loading type from Azure.Core, Version=1.14.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8 System.IO.FileNotFoundException: File name: 'System.Memory.Data, Version=1.0.2.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51' [EROR] Error loading type from Azure.Core, Version=1.14.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8 System.IO.FileNotFoundException: File name: 'System.Memory.Data, Version=1.0.2.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51' [VERB] Loaded validation plugin Azure from D:\PAXTON\win-acme\PKISharp.WACS.Plugins.ValidationPlugins.Azure.dll [VERB] Loaded store plugin KeyVault from D:\PAXTON\win-acme\PKISharp.WACS.Plugins.StorePlugins.KeyVault.dll

To Reproduce

  1. Run with command line wacs --verbose and adding key vault plugin

Expected behavior No error.

Log

Platform:

  • OS: Windows 10 and Windows Server 2019
  • Version: 2.1.19, 64-bit, pluggable

Additional context

AvrumFeldman

AvrumFeldman

enhancement
Icon For Comments0

When creating manual certificate, after choosing the types of certificates we are prompted with an option to run a script, the parameters options are listed here instead of the next menu where we are prompted for which parameters we want to pass to the script.

Current menu

While it is supposed to be like this

Please notice where I moved the parameters list.

johnschleicher

johnschleicher

question
Icon For Comments1

I've tried looking through the other posts and found references to my issue but I can't find a solution that works. I apologize if this has already been answered but I did look.

I started receiving an error that looks like a trust issue with the host site. I can use a browser and go to the https. url but wacs can't seem to connect. I turned verbose on and I put the output below.

I've tried to start wacs as an admin and as a regular user. That didn't seem to matter.

I've been using win-acme for over a couple of years now with no issues. The auto-renew has been working great. I've downloaded the latest version but that didn't help either.

Any help would be appreciated!!!!

C:\letsencrypt\win-acme.v2.1.7>wacs --verbose [VERB] Verbose mode logging enabled [VERB] Looking for settings.json in C:\letsencrypt\win-acme.v2.1.7 [DBUG] Config folder: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org [DBUG] Log path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Log [DBUG] Cache path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates [VERB] Arguments: --verbose [DBUG] Renewal period: 55 days

[INFO] A simple Windows ACMEv2 client (WACS) [INFO] Software version 2.1.7.807 (RELEASE, PLUGGABLE) [INFO] ACME server https://acme-v02.api.letsencrypt.org/ [VERB] SecurityProtocol setting: SystemDefault [WARN] No luck yet, attempting to force TLS 1.2... [EROR] Unable to connect to ACME server System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure. at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception ) at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.PartialFrameCallback(AsyncProtocolRequest asyncRequest) --- End of stack trace from previous location where exception was thrown --- at System.Net.Security.SslStream.ThrowIfExceptional() at System.Net.Security.SslStream.InternalEndProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.SslStream.EndProcessAuthentication(IAsyncResult result) at System.Net.Security.SslStream.EndAuthenticateAsClient(IAsyncResult asyncResult) at System.Net.Security.SslStream.<>c.b__65_1(IAsyncResult iar) at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requir esSynchronization) --- End of stack trace from previous location where exception was thrown --- at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancel lationToken) --- End of inner exception stack trace --- at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancel lationToken) at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean allowHttp2, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken) at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)

at PKISharp.WACS.Clients.Acme.AcmeClient.CheckNetwork() [INFO] IIS version 7.5 [INFO] Running with administrator credentials [INFO] Scheduled task looks healthy [INFO] Please report issues at https://github.com/win-acme/win-acme [VERB] Test for international support: F¬PF¿Ç -Å-+-ï-¦ +ä+¦+¬

N: Create renewal (default settings) M: Create renewal (full options) R: Run renewals (0 currently due) A: Manage renewals (0 total) O: More options... Q: Quit

Please choose from the menu: N

[INFO] Running in mode: Interactive, Simple [VERB] Adding 8.8.8.8 as DNS server [VERB] Adding 1.1.1.1 as DNS server [VERB] Adding 8.8.4.4 as DNS server [DBUG] Scanning IIS sites [DBUG] Scanning IIS site bindings for hosts

Please select which website(s) should be scanned for host names. You may input one or more site identifiers (comma separated) to filter by those sites, or alternatively leave the input empty to scan all websites.

11: ClassicSportsToday (2 bindings) 12: ClassicSportsToday_Redirect (1 binding) 5: CommunityHealthCollaboratives (1 binding) 7: InTheWordToday (5 bindings) 24: JohnTest (1 binding) 15: JS_Drakes (2 bindings) 18: JS_FirstShotAdmin (3 bindings) 21: JS_FirstShotBasketball (6 bindings) 17: JS_Johnathon (1 binding) 22: JS_JSJK Media (2 bindings) 23: JS_MTCA (6 bindings) 20: JS_Murfmadness (2 bindings) 16: JS_Schleicher.me (2 bindings) 14: JS_Tristan (3 bindings) 4: MyMsgBoard (2 bindings) 8: MyMsgBoard_Redirect (1 binding) 3: OldTimeSports (2 bindings) 6: OldTimeSports_Redirect (1 binding) 9: SmyrnaAdultSoftball (2 bindings) 10: SmyrnaAdultSoftball_Redirect (1 binding) 13: YouVidTube (1 binding)

Site identifier(s) or to choose all: 21

[VERB] 47 named bindings found in IIS [DBUG] Filtering by site(s) [21] [VERB] 6 bindings remaining after site filter [VERB] No host filter applied [VERB] 6 matching bindings found

1: 1stshotbasketball.net (Site 21) 2: firstshotbasketball.net (Site 21) 3: firstshottn.org (Site 21) 4: www.1stshotbasketball.net (Site 21) 5: www.firstshotbasketball.net (Site 21) 6: www.firstshottn.org (Site 21)

You may either choose to include all listed bindings as host names in your certificate, or apply an additional filter. Different types of filters are available.

1: Pick specific bindings from the list 2: Pick bindings based on a search pattern 3: Pick all bindings

How do you want to pick the bindings?: 3

[VERB] 47 named bindings found in IIS [DBUG] Filtering by site(s) [21] [VERB] 6 bindings remaining after site filter [VERB] No host filter applied [VERB] 6 matching bindings found

1: 1stshotbasketball.net 2: firstshotbasketball.net 3: firstshottn.org 4: www.1stshotbasketball.net 5: www.firstshotbasketball.net 6: www.firstshottn.org

Please pick the main host, which will be presented as the subject of the certificate: 3

[VERB] 47 named bindings found in IIS [DBUG] Filtering by site(s) [21] [VERB] 6 bindings remaining after site filter [VERB] No host filter applied [VERB] 6 matching bindings found

1: 1stshotbasketball.net (Site 21) 2: firstshotbasketball.net (Site 21) 3: firstshottn.org (Site 21) 4: www.1stshotbasketball.net (Site 21) 5: www.firstshotbasketball.net (Site 21) 6: www.firstshottn.org (Site 21)

Continue with this selection? (y*/n) - yes

[DBUG] Scanning IIS site bindings for hosts [VERB] 47 named bindings found in IIS [DBUG] Filtering by site(s) [21] [VERB] 6 bindings remaining after site filter [VERB] No host filter applied [VERB] 6 matching bindings found [DBUG] Scanning IIS sites [INFO] Target generated using plugin IIS: firstshottn.org and 5 alternatives [DBUG] Scanning IIS site bindings for hosts [VERB] 47 named bindings found in IIS [DBUG] Filtering by site(s) [21] [VERB] 6 bindings remaining after site filter [VERB] No host filter applied [VERB] 6 matching bindings found [DBUG] Scanning IIS sites [VERB] Targeted convert into 1 order(s) [VERB] Checking [IIS] JS_FirstShotBasketball, (any host) [VERB] Handle order 1/1: Main [VERB] Creating order for hosts: ["www.1stshotbasketball.net", "1stshotbasketball.net", "www.firstshotbasketball.net", "firstshotbasketball.net", "ww w.firstshottn.org", "firstshottn.org"] [VERB] Loading ACME account signer... [VERB] Constructing ACME protocol client... [DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory [DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/ [EROR] (AuthenticationException): The remote certificate is invalid according to the validation procedure. [DBUG] Exception details: AuthenticationException {TargetSite=Void Throw(), StackTrace=" at System.Net.Security.SslStream.StartSendAuthResetSignal( ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)\r\n at System.Net.Security.SslStream.CheckCompletionBefor eNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)\r\n at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 cou nt, AsyncProtocolRequest asyncRequest)\r\n at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asy ncRequest)\r\n at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)\r\n at System.Ne t.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)\r\n at System.Net.Security.SslStream.CheckCompletionBeforeNe xtReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)\r\n at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)\r\n at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncR equest)\r\n at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)\r\n at System.Net.S ecurity.SslStream.PartialFrameCallback(AsyncProtocolRequest asyncRequest)\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Net.Security.SslStream.ThrowIfExceptional()\r\n at System.Net.Security.SslStream.InternalEndProcessAuthentication(LazyAsyncResul t lazyResult)\r\n at System.Net.Security.SslStream.EndProcessAuthentication(IAsyncResult result)\r\n at System.Net.Security.SslStream.EndAuthentic ateAsClient(IAsyncResult asyncResult)\r\n at System.Net.Security.SslStream.<>c.b__65_1(IAsyncResult iar)\r\n at System. Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchroniza tion)\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Net.Http.ConnectHelper.EstablishSslConnectionAsy ncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)", Message="The remote certificate is invalid acc ording to the validation procedure.", Data=[], InnerException=null, HelpLink=null, Source="System.Private.CoreLib", HResult=-2146233087} [EROR] Wrapped in HttpRequestException: The SSL connection could not be established, see inner exception. [VERB] Exiting with status code -2146233087

C:\letsencrypt\win-acme.v2.1.7>date The current date is: Thu 10/07/2021 Enter the new date: (mm-dd-yy)

C:\letsencrypt\win-acme.v2.1.7>time The current time is: 15:21:46.32 Enter the new time:

chrkuznos1

chrkuznos1

question
Icon For Comments1

I want to use win-acme in order to have certs signed by zerossl instead of letsencrypt which is the default.

I read https://github.com/win-acme/win-acme/issues/1648 that mention the config but i see 3 lines here, what shall i enter in the following fields? "Acme": { "DefaultBaseUri": "?????", "DefaultBaseUriTest": "?????", "DefaultBaseUriImport": "????", "PostAsGet": true, "RetryCount": 15, "RetryInterval": 5, "PreferredIssuer": null

thank you in advance

StuHare

StuHare

possible bug
Icon For Comments6

Hi

After the expiry of the crossed signed Lets Encrypt ISRG Root cert last week, it looks like we are unable to get the win-acme agent to connect to the API. The connection is failing after trying to force TLS 1.2 and the event viewer shows chain issues.

image

Initial connection failed, retrying with TLS 1.2 forced System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid

The site certificates that have been generated via win-acme appear to be fine with the correct self-signed ISRG Root X1 certs, but the win-acme agent itself is having issues.

Is this is a known issue and are there any steps to resolve?

Thanks

The00Dustin

The00Dustin

enhancement
Icon For Comments0

Describe the solution you'd like It would be convenient to be able to add/remove scripts via the "E: Edit renewals" menu. This would allow for configuration of multiple scripts on a certificate that requires options only available via the CLI. It could also allow a script to be removed or replaced without force renewing the certificate and potentially triggering rate-limit issues.

Describe alternatives you've considered My use case doesn't require multiple scripts, so I can just re-run the CLI command with a new script to replace the old one, but under less-than-ideal circumstances, this could run the risk of triggering a rate-limit.

Additional context See https://github.com/win-acme/win-acme/issues/1757#issuecomment-931652462 Also, regarding rate-limit discussion, I nearly hit rate limits recently due to needing to renew multiple times between root CA changes, version upgrades, and a certificate that was supposed to be exportable but wasn't. Those things all at once are less-than-ideal by themselves, but if I had also typo-ed the script name or wanted to remove it temporarily and re-add it shortly thereafter, I would have hit the limit for sure. That having been said, I was not using --force, so maybe the renewal triggered when I changed the script using the CLI was a bug.

DanDotN3t

DanDotN3t

Icon For Comments2

We have a number of Windows Servers from 2012 > 2019 all running win-acme. As of yesterday the DTS Root CA X3 certificate expired which is causing issue with our <7.1.1 Android devices.

For a number of our servers we have to support the R3 > ISRG Root X1 > DST Root CA X3 chain for the above reasons.

To get IIS to serve this chain over the newer R3 > ISRG Root X1 chain we had to move the newer chain to Untrusted.

This results in the server issuing the correct cross-signed chain however the server can now no longer authenticate with https://acme-v02.api.lets... because it cannot validate the LE cert for this endpoint!

Is there anyway around this?

The00Dustin

The00Dustin

question
Icon For Comments5

I run a standalone Exchange 2019 server (single server, no 365) and recently started having a strange issue that I suspect may recur in 30-90 days. I'm not confident in exactly what was wrong or exactly what fixed it, so I wanted to drop some details here while they were fresh in my mind. In searching, I found issues 1372 and 1754 which don't appear to be related. I don't believe 1372 was involved because I was running Win-Acme 2.1.16, and I don't believe 1754 is related because the issue was client side.

Yesterday evening, I had someone reach out because the OWA page was returning an invalid certificate warning. I knew it was around certificate renewal time, so I didn't look at the certificate and had them "accept the risk" instead. Then I did some testing. I was able to confirm that Outlook seemed to be working on desktops and mobile devices. Strangely, I was not getting the certificate error on the same OS and browser version on another machine. A bit later, I got a call from someone who was having a certificate warning on their mobile device, but it was the Apple mail app popping up the warning (as opposed to Outlook). At this point, I checked the output of Get-ExchangeCertificates and the certificates in the store to see only the good certificate (which was showing as already valid at that time). Things only got stranger from there, but the devices and applications that indicated certificate issues did so consistently. Here is an example of how inconsistent the results were:

Win10 2016 LTSB PC1: IE showed certificate warning Win10 2016 LTSB PC2: IE showed valid certificate iOS 14 Device: Apple Mail showed certificate warning, Safari showed certificate warning iOS 15 Device 1: Apple Mail showed certificate warning, Safari showed certificate warning iOS 15 Device 2: Apple Mail did not show certificate warning, Safari showed certificate warning

I tried restarting IIS and did not notice any changes in behavior. After doing that, I looked at the warning and certificate on "PC1" and noticed that while the warning said "not yet valid or expired" the certificate shown when I hit view details was actually the same valid certificate I saw on the server. I found similar behavior on iOS 15 device 1, Safari said the certificate had expired, and when I hit view (certificate or details, whichever it would show), I was presented with "Not Trusted" and "Expired 9/29/21, 3:21:40 PM" but when I hit "More Details" the details showed "Not Valid Before 9/28/21, 9:17:57 AM" which makes it valid prior to the alleged expiration time, and it was also "Not Valid After 12/27/21, 8:17:56 AM" which is well in the future. At this point, I started doing some research and also rebooted the Exchange server just in case it would make a difference. Well, the research turned up this: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ As luck would have it, the expiration of that root certificate occurred between the time when I looked at the devices above before reboot and when I looked at them again after reboot. In theory, I would think the root certificate would have been superseded by another root certificate that was valid prior to expiration, so that shouldn't be relevant, but I can't come up with a better explanation than the root certificate not being valid yet based on what I was seeing there. Unfortunately, the reboot muddied the waters, because if something needed restarted, that would have taken care of it. On the other hand, the scheduled task was created by Win-Acme on 4/15, so if this was due to the expiration of the original certificate, I believe it should have happened in July, unless perhaps prior reboots have been luckily timed and the root certificate expiration is just a coincidence.

As if all that weren't enough, it gets stranger. While composing this, I connected to OWA to check the certificate information so I could include it in my conversation re: PC1, and the certificate details show "Not Valid Before Thursday, September 30, 2021 at 9:35:11 AM" which is today. This is definitely NOT what the certificate was showing yesterday (or even earlier this morning), but obviously renewals shouldn't be occurring days apart, either. So, this makes the logical question "is there more than one certificate?" Alas, the output of wacs.exe includes this: "A: Manage renewals (1 total)" so that possibility doesn't explain it, either.

My current action plan is to come back to this issue (and presumably re-open it) in 30-90 days if some sort of behavior recurs. I also intend to check and see what certificate I'm seeing in the store vs browsers after the next renewal in hopes of catching this before it impacts service again, but it seems remotely plausible that the issue won't occur again for 4 years due to the new root certificate. Finally, I'm happy to collect any relevant information if requested, and FWIW, I also upgraded to 2.1.18 yesterday just in case it would make a difference, but the scripts appeared identical, so I'm not sure why it would have (unless the version change triggered an additional certificate update and that is what really solved things).

peter0530

peter0530

possible bug
Icon For Comments1

To Reproduce

  1. Run with command line
  2. Pick menu options N, 8, Enter, Enter
  3. See error

Log 2021-09-30 23:13:29.281 +08:00 [INF] No command line arguments provided 2021-09-30 23:13:29.379 +08:00 [INF] Software version 2.1.18.1119 (release, trimmed, standalone, 64-bit) started 2021-09-30 23:13:29.381 +08:00 [INF] Connecting to "https://acme-v02.api.letsencrypt.org/"... 2021-09-30 23:13:30.225 +08:00 [WRN] Scheduled task not configured yet 2021-09-30 23:13:30.225 +08:00 [INF] Please report issues at https://github.com/win-acme/win-acme 2021-09-30 23:13:37.757 +08:00 [INF] No command line arguments provided 2021-09-30 23:13:37.856 +08:00 [INF] Software version 2.1.18.1119 (release, trimmed, standalone, 64-bit) started 2021-09-30 23:13:37.857 +08:00 [INF] Connecting to "https://acme-v02.api.letsencrypt.org/"... 2021-09-30 23:13:38.712 +08:00 [WRN] Scheduled task not configured yet 2021-09-30 23:13:38.713 +08:00 [INF] Please report issues at https://github.com/win-acme/win-acme 2021-09-30 23:13:41.043 +08:00 [INF] Running in mode: "Interactive, Simple" 2021-09-30 23:13:59.586 +08:00 [INF] Source generated using plugin IIS: phone.XXXX.com 2021-09-30 23:14:23.757 +08:00 [INF] [phone.XXXX.com] Authorizing... 2021-09-30 23:14:23.758 +08:00 [INF] [phone.XXXX.com] Authorizing using http-01 validation (SelfHosting) 2021-09-30 23:14:29.318 +08:00 [INF] [phone.XXXX.com] Authorization result: valid 2021-09-30 23:14:37.131 +08:00 [INF] Requesting certificate [IIS] WebPhone, (any host) 2021-09-30 23:14:37.784 +08:00 [INF] Store with CertificateStore... 2021-09-30 23:14:37.811 +08:00 [INF] Installing certificate in the certificate store 2021-09-30 23:14:37.815 +08:00 [INF] Adding certificate [IIS] WebPhone, (any host) @ 2021/9/30 23:14:29 to store WebHosting 2021-09-30 23:14:37.825 +08:00 [ERR] Error saving certificate 2021-09-30 23:14:37.831 +08:00 [ERR] (WindowsCryptographicException) Unable to store certificate: 拒绝访问。

Platform:

  • OS: Windows Server 2012R2 CN
  • Version: v2.1.18.1119 (x64, Release)
mlonguet

mlonguet

possible bug
Icon For Comments1

Hello everyone,

As I need the options eab-key-identifier and eab-key, I am using command line to issue a certificate:

./wacs.exe --verbose --eab-key-identifier --eab-key --target manual --host --emailaddress

Here is the error I am facing on windows client side [DBUG] Send POST request to #404 [VERB] Request completed with status NotFound [EROR] Failed to create order: Unexpected response status code [NotFound] for [CreateOrderAsync] [EROR] Create certificate failed: Unable to create order [VERB] Exiting with status code -1

Here is the error I am facing on PKI server side HTTP 400 Link: ;rel="index" Content-Type: application/problem+json Content-Length: 92 Date: Tue, 21 Sep 2021 09:20:44 GMT Connection: close {"type":"urn:ietf:params:acme:error:invalidContact","detail":"Must supply account contacts"}

Then, it seems that the contact option, that can be added using the menu, is missing as a possibility for command line, while the contact option does not exist. I thought at first that the emailaddress parameter would fullfil this purpose but if I understand well, it only affect the acme workflow when the certificate is requsted and not in the account creation step.

The tests was done using the menu (and without eab info) and it was working. But for security reasons, I have to had these eab options, so I have to use command lines.

Thanks for your help

Pistacchio00

Pistacchio00

Icon For Comments3

Here are the logs of the certificate renewal attempt

C:\win-acme>wacs.exe --renew --force --verbose [VERB] Verbose mode logging enabled [VERB] ExePath: C:\win-acme\wacs.exe [VERB] ResourcePath: C:\win-acme
[VERB] PluginPath: C:\win-acme
[VERB] Looking for settings.json in C:\win-acme
[DBUG] Config folder: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org [DBUG] Log path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Log [DBUG] Cache path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates [DBUG] secrets.json not found [VERB] Arguments: --renew --force --verbose [DBUG] Renewal period: 55 days [VERB] Sending e-mails False

[INFO] A simple Windows ACMEv2 client (WACS) [INFO] Software version 2.1.18.1119 (release, pluggable, standalone, 64-bit) [INFO] Connecting to https://acme-v02.api.letsencrypt.org/... [VERB] SecurityProtocol setting: SystemDefault [DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory [VERB] Request completed with status OK [DBUG] Connection OK! [DBUG] IIS version 10.0 [DBUG] Running with administrator credentials [INFO] Scheduled task looks healthy [INFO] Please report issues at https://github.com/win-acme/win-acme [VERB] Unicode display test: Chinese/語言 Russian/язык Arab/لغة [VERB] Checking renewals

[DBUG] Scanning IIS site bindings for hosts [VERB] 1 named bindings found in IIS [DBUG] Filtering by site(s) [1] [VERB] 1 bindings remaining after site filter [VERB] No host filter applied [VERB] 1 matching binding found [DBUG] Scanning IIS sites [VERB] Adding 8.8.8.8 as DNS server [VERB] Adding 1.1.1.1 as DNS server [VERB] Adding 8.8.4.4 as DNS server [VERB] Targeted convert into 1 order(s) [INFO] Force renewing certificate for [IIS] Default Web Site, (any host) [VERB] Handle order 1/1: Main [VERB] Creating order for hosts: ["DnsName: prod.domain.com"] [VERB] Constructing ACME protocol client... [DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory [VERB] Request completed with status OK [DBUG] Loading signer from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Signer_v2 [DBUG] Loading account from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Registration_v2 [VERB] Using existing ACME account [VERB] ACME client initialized [DBUG] Send HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce [VERB] Request completed with status OK [DBUG] Send POST request to #404 [VERB] Request completed with status Created [VERB] Order #404 created [DBUG] Send POST request to #404 [VERB] Request completed with status OK [VERB] Handle authorization 1/1 [INFO] [prod.domain.com] Authorizing... [VERB] [prod.domain.com] Initial authorization status: pending [VERB] [prod.domain.com] Challenge types available: ["http-01", "dns-01", "tls-alpn-01"] [VERB] [prod.domain.com] Initial challenge status: pending [INFO] [prod.domain.com] Authorizing using http-01 validation (SelfHosting) [VERB] Starting commit stage [VERB] Commit was succesful [DBUG] [prod.domain.com] Submitting challenge answer [DBUG] Send POST request to #404 [VERB] Request completed with status OK [DBUG] Refreshing authorization (1/15) [DBUG] Send POST request to #404 [VERB] Request completed with status OK [DBUG] Refreshing authorization (2/15) [DBUG] Send POST request to #404 [VERB] Request completed with status OK [DBUG] Refreshing authorization (3/15) [DBUG] Send POST request to #404 [VERB] Request completed with status OK [EROR] [prod.domain.com] Authorization result: invalid [EROR] [prod.domain.com] { "type": "urn:ietf:params:acme:error:connection", "detail": "Fetching #404: Timeout during connect (likely firewall problem)", "status": 400 } [VERB] Starting post-validation cleanup [VERB] Post-validation cleanup was succesful [EROR] Renewal for [IIS] Default Web Site, (any host) failed, will retry on next run [VERB] Exiting with status code -1

The URL

#404

can be reached from the internet I tried creating a file in the folder "/.well-known/acme-challenge" without an extension such as "YyEqLTY678IbIe5sLHSn1pg2nM_KJwBRtwxDXwk4daQ" with a sample text inside and publicly I reach it and see the text in the browser. Unfortunately I continue to have errors in the certificate renewal, I have neither DNS records nor network inauguration in IPv6.

The web server is an IIS on Windows server 2019.

I thank you for the time you dedicate to me. Hello

VladDerptastic

VladDerptastic

question
Icon For Comments1

I'm struggling to find a way to change the expiration notification email in a way that would not result in bringing down all currently connected services (by revoking all certs, renewals, config folders, etc.).

Back in issue #791 this is described as the way to go, but that's in 2018. Is that still the only way to achieve this? In Let's Encrypt docs they mention that its possible by using certbot update_account --email

While win-acme doesn't allow direct interaction with certbot, a look through its --help shows that there is a --emailaddress flag. However, when running wacs.exe update_account --emailaddress the only thing that happens is for the wacs.exe client to run normally and prompt me with the options menu.

Am I missing something or doing something wrong here? Or is it still an unsupported feature?

docontrol

docontrol

enhancement
Icon For Comments2
rwoeke

rwoeke

Icon For Comments1

Hello

getting this error when trying to update. Running as administrator. Any suggestions?

dotnet tool update win-acme --global Tool 'win-acme' failed to update due to the following: Failed to uninstall tool package 'win-acme': Access to the path 'C:\Users\Administrator\.dotnet\tools\.store\win-acme\2.1.16.1037' is denied.

nathanajci

nathanajci

enhancement
Icon For Comments23

Not sure what happened, or how to reproduce, all we can see is the log shows an error for GetDirectoryAsync.

We're running your tool on 5 different RDS servers, and all have been running fine for almost a year until recently. One of the servers failed to renew it's cert at the beginning of this month. We haven't made any changes to the script or the RDS set up on this server or any of the others; and the rest are working just fine, but this one decided to stop working. I've looked at the scheduled task settings and all servers seem to be set exactly the same. I ran the scheduled task on the failed server manually and it seems to have worked, but I'm not sure why or what happened that caused the problem.

All servers are Windows Server 2019 Standard VM's, and all of the servers renew through the win-acme renew scheduled task that runs the ImportRDS script. All servers are running win-acme.v2.1.6.773.x64

I've attached logs for the failed task, as well as the previous days that ran without issue. log-20210404.txt log-20210403.txt

luigirosa

luigirosa

enhancement
Icon For Comments1

Describe the bug win-acme does not find a FTP site to issue the first certificate

To Reproduce

  1. Setup IIS with a single name-based ftp site
  2. Run win-acme
  3. Select N to issue a new cert
  4. This error message is displayed: «No applicable IIS sites were found. No sites with host bindings have been configured in IIS. Add one in the IIS Manager or choose the plugin 'Manual input' instead. Target plugin IIS aborted or failed»

Expected behavior It should find the ftp site

Log No log found, yhis is the console output:

Please choose from the menu: N

Running in mode: Interactive, Simple No applicable IIS sites were found. No sites with host bindings have been configured in IIS. Add one in the IIS Manager or choose the plugin 'Manual input' instead. Target plugin IIS aborted or failed

Platform:

  • OS: Windows 2016 Standard, English version 1607 biuld 14393.4225
  • Version: 2.1.14.996 x64 pluggable
mintylamb

mintylamb

documentation
Icon For Comments7

I've had issues on the last couple of scheduled renewals where outbound email flow stopped from our Hybrid Exchange 2016 server used mainly to manage our Office 365 setup, but also configured as an internal SMTP relay to allowed scoped unauthenticated sending from muli-function printers as described in the Microsoft Support article. We have to use this method due to enforced MFA authentication on Office 365.

First I have checked for Win-ACME updates as I had 2.1.8.847 installed, but didn't see anything in the release notes for newer version to indicate this issue. I have subsequently updated my win-acme to latest 2.1.14.996.

I've started troubleshooting and confirmed that the certificate is correctly generated and imported by the ImportExchange.ps1 script and bound to IIS, SMTP and IMAP as recommended in your manual. I could not see any other -services options for the command that would update the required information. I finally came across this article https://www.pei.com/exchange-mailflow-send-connector/ which descibes exactly the issue that I'm seeing with the Send Connector configured to allow relaying emails from our internal infrastructure to mailboxes in Office 365 using the certificate for TLS.

Another article indicates that MSExchangeTransport service also needs to to be restarted and similar checks and changes are needed on the default receive connector.

Would it be possible (or even desirable) for win-acme to check the Exchange Send and Receive Connectors matching the FQDN of the certificate and update them, or should this be considered as a separate task for admins to create a scheduled task to update this? I think the poweshell code in your script should be able to identify any send connectors using $SendConnector = Get-SendConnector | where {$Certifcate.subject -like 'CN='+$_.fqdn}

if the returned value is not null then it can be updated using code adapted from the article I linked $TLSCertificate = (‘’+$Certificate.issuer+'’+$Certificate.subject) Set-SendConnector -Identity $SendConnector.Identity -TLSCertificateName $TLSCertificate

I shall see if I can find time to do some modification of a copy of the ImportExchange script and further testing, as all looks to be possible with an amended or additional powershell script.

I'd welcome your thoughts.

adipose

adipose

documentation
Icon For Comments7

I have been trying to understand if win-acme has a post-hook script option, like certbot. This script would only run after a successful renewal.

It seems like such an obvious feature to support, but after reading comments about the --script, I've come to understand that it doesn't apply to renewals. One comment was made about "too many options" in reference to this. I don't understand how a single option to run a script would be a big deal.

--postrenewscript

If this is not possible, what is currently the recommended method of restarting apache on windows after a successful renewal?

zachol72

zachol72

enhancement
Icon For Comments3

Perhaps a stupid question, but I can't find the answer...

When a renewal can't be completed, for example if a site/domain/binding is permanently removed from the server, for how long will WACS retry before the renewal is automatically removed (will it?) completely?

ThomasCr

ThomasCr

enhancement
Icon For Comments4

Pls add a way to run scripts before a renewal is started - so it would be possible to open port 80 on the firewall or other useful things.

JT-Moore

JT-Moore

enhancement
Icon For Comments5

I'm getting an unspecified error working with Exchange 2010 when Enable-ExchangeCertificate is called in ImportExchange.ps1.

According to information from Microsoft this is happening because loading the Exchange PowerShell snapin directly is not supported.

Instead, they require it to be loaded using the following method (with the important part in lines 4-5) which should work with newer versions of Exchange as well:

Doing it that way works for me and if you do that, then you can remove the following code that loads the snapin directly:

and this part won't be needed either:

moaeddy

moaeddy

enhancement
Icon For Comments5

I was wondering if possible that you guys have a way to support .onion domains ? i mean like issuing cert for .onion domains like you support other domains

Versions

Quick list of the latest released versions

v2.1.19.1142 - Oct 03, 2021

Bug fixes

#1942 - @luidigo reported a crash issue at startup on a clean install, thanks for that! #1934 - @tsimmons reported a crash issue at startup on Windows Server 2008 R2. There is no official support for that OS anymore, neither from Microsoft nor from win-acme, but it was an easy fix in this case.

v2.1.19.1138 - Sep 24, 2021

Enhancements

  • #1917 - It's now possible to globally configure your desired Powershell runtime, enabling you to use Powershell Core. The setting is under ScriptSettings.PowershellExecutablePath and defaults to the old powershell.exe, but you could for example use "C:\Program Files\PowerShell\7\pwsh.exe" instead. Note that this applies to all scripts, including previously configured ones, so make sure to test all of them. Requested by @MarcoEnxuto.
  • #1896 - The --setuptaskscheduler switch is now also valid for use during the creation of a new renewal, forcing the recreation of an existing scheduled task. Requested by @remyblok.
  • During DNS validation of wildcard domains, show the wildcard in the logs. This doesn't impact functionality, but just makes it more clear whether you're looking at the validation for *.example.com or example.com in the same renewal.
  • #1886 - Add a new setting called RenewalMinimumValidDays that works in conjunction with the RenewalDays setting. This ensures that certificates are renewed when they are about to expire, even if they are not yet due according to the RenewalDays setting. It's main purpose is to not get caught off-guard when the servers issues certificates with a lifetime shorter than the RenewalDays setting. Default is 7 days. Based on feedback from @CvW.
  • Cache logic was refactored, so that it now prevents the client from creating orders and running validation unless it's determined to be actually neccessary. This improves performance and helps to prevent people from running into rate limits.

Bug fixes

  • #1872 - The Cloudflare validation plugin would fail if the hosted DNS zone is not the root zone, reported by @cartierinfo.
  • #1843 - The logic to pick between alternative certificate chains was broken for chains longer than two certificates, which happens to be relevant for what Let's Encrypt are doing with their ISGR X1 chain. This will allow the PreferredIssuer setting to work properly for that scenario.
  • #1887 - Use TTL zero for the GoDaddy plugin to prevent cached results from being served. Thanks @vdenisov for the report.
  • Old certificates were not removed from the store if host names were added or removed during the renewal.
  • The program could crash on servers that contained registry keys indicating the presence of IIS, yet not actually having IIS installed.

Sponsors

This release was funded by

One gold sponsor:

  • Insurance Technology Services eGov Strategies

Two silver sponsors:

  • Insurance Technology Services Insurance Technology Services
  • Enzure Enzure

And four bronze sponsors:

  • e-shop LTD
  • The Proof Group @proofgroup
  • imagenia.fr
  • Certify the web

Support

If you want professional support for win-acme, your company up here in the release notes, or just want to buy me (@WouterTinus) a beer for maintaining this tool, please sponsor using GitHub Sponsors, Patreon or PayPal.

v2.1.18 - Jul 03, 2021

New features

  • #1801 - Basic support for RFC8738, an extension to ACME that allows servers to issue certificates for IP addresses. They can be input through the Manual and CSR source plugins and validated using tls-alpn or any http method. Installation support for IIS is limited: renewals for ip-only bindings will work after setting up manually for the first time, but the program will not create them automatically yet. Note that this feature can only be used if the ACME service also supports it. So far none of the popular ones do. Brought to our attention by @Virinum.
  • #1865 - @marcoskirchner contributed a remote validation plugin, which pushes validation challenge answers to a REST endpoint of your choice. His corresponding server implementation can be used to recieve the answers and forward them to the ACME server, but you could also develop your own. This allows you to run win-acme on a seperate server from the one that recieves traffic from the domain.

Enhancements

  • We have decided to rename “target plugins” to “source plugins” because that name makes more sense given their function, which is working at the beginning of the pipeline to provide the rest of steps with list of identifiers (DNS names or IP addresses) to work with. To avoid breaking workflows the old command line parameter --target continues to be accepted as an alias for the new --source parameter.
  • The previous release added support for secret management in the core program. This release extends that to all extra plugins. To do this properly without duplicating a lot of code the user input subsystem was rewritten, so that will feel a lot more consistent moving forwards, both in the main program and the various plugins. This also makes authoring additional plugins easier.
  • The parameter --validation-mode is no longer required if there are no naming conflicts between plugins, e.g. instead of --validation-mode dns-01 --validation azure you can now simply use --validation azure because there is no other plugin with that name.
  • Add proxy support to the Google Cloud DNS plugin.
  • Added basic “Edit renewal” opening in Manage renewals menu, which is basically the same as creating a new renewal (with full options), that overwrites the previously created settings, but maintains history.
  • All plugins and the main program are now built with compile-time nullable checking, improving code quality.
  • Updated various NuGet packages for latest bug fixes from upstream components.
  • Updated local copy of the Public Suffix List for offline installations.
  • The Route53 plugin now supports parallel operations, greatly speeding up the validation proces when including multiple domains in a certificate.

Bug fixes

  • Configuring a Powershell script in a path with spaces and/or single quotes would fail to run.
  • Command line parsing better handles dashes embedded in quoted strings, reported and tested by @wchao.
  • #1849 – PemFiles plugin was asking “PFX password”, which was mislabelled, thanks @MarcoMiltenburg!
  • #1847 – The published build of the Google Cloud DNS plugin didn’t work with the published build of the main program. This has been corrected. Thanks for noticing @ArcanoxDragon!
  • #1831 – The program would crash when providing it with an invalid argument, thanks @johlju for the report!

Sponsors

This release was funded by

One gold sponsor:

  • Insurance Technology Services eGov Strategies

Two silver sponsors:

  • Insurance Technology Services Insurance Technology Services

And four bronze sponsors:

  • e-shop LTD
  • The Proof Group @proofgroup
  • imagenia.fr
  • Certify the web

Support

If you want professional support for win-acme, your company up here in the release notes, or just want to buy me (@WouterTinus) a beer for maintaining this tool, please sponsor using GitHub Sponsors, Patreon or PayPal.

v2.1.17.1065 - Apr 25, 2021

Breaking (but not really)

  • #1799 - If the script started by the script installation plugin returns an error, the renewal will now be considered to have failed and logged/notified as such. The program will however still attempt to run any additional installation steps, so there are no functional changes, except that previously this kind of error was invisible/ignored and now it won't be. So after upgrading, existing users may be notified about errors that have been happening for a long time already and may not require immediate attention or changes. In these cases it's probably easiest to silence the error from the script by using a try { } catch { } block. Thanks @rob-vangelder for noticing this.

New features

  • #1792 - The secret manager is a new component in the program that can be used to store and update secrets (e.g. passwords and API keys) in a central location. This is an alternative to the current system that stores them individually for each renewal, which works fine but makes rotating them painful. For now the secret manager uses a .json file in the configuration folder as its storage mechanism. As was already the case, the secrets for renewals are encrypted using the Windows Data Protection API. So while there is no immediately improvement in security, it does improve managability. In the future the plan is to make it possible to support external storage providers such as Azure KeyVault as well using the same mechanism. In this release all built-in features have been updated to support the secret manager. The plan is to add support to the plugins as well in the next release.
  • #1813 - A new validation plugin for Google Cloud DNS was contributed by @derhally, the second one they've built!

Enhancements

  • #1800/#1807 - It is no longer possible to run two instances of win-acme simultaneously (even for different configuration folders, which was previously allowed) to avoid two copies fighting over the use of shared system resources (e.g. network ports and IIS). To avoid this becoming a breaking change, the second copy will wait until the first copy is finished, and then run as usual. @emilstojanov submitted the bug report which led to this idea.
  • Command line arguments like *key*, *password*, *secret* and *token* are not logged anymore to avoid leaking sensitive information.
  • #1795 - A debug build of the program will now log full http requests and responses in --verbose mode. This is not enabled in release builds for security reasons to avoid leaking sensitive information, so you will need to build the progam yourself using Visual Studio if you want to use this feature. Thanks for the idea @DavidLaClair.
  • #1808 - When setting up a new certificate for the Windows Certificate Store with the "full options" menu, users are now asked which specific store they want to use. Previously this could only be specified through the command line or as a global default in settings.json. Thanks for the suggestion @BrianCanFixIT!

Bug fixes

  • #1794/#1797 - The GoDaddy plugin release in the previous version turned out to have some issues, which prompted us to remove the download from the releases page even after the first hotfix. Those issues have been fully resolved now and the current implementation has been confirmed to work now by several users. Thanks @DavidLaClair in particular for working with us to test.
  • In very specific cases win-acme would decide not create a new IIS binding, even though it was in fact possible.
  • #1791 - The health check for the scheduled task could cause a crash in specific cases, making the program unusable until the task was deleted or modified. Thanks @thesushil for the report!
  • #1810 - @Virinium improved logging in the DNS lookup system, thanks for the contribution!

v2.1.16.1 - Mar 18, 2021

Bug fixes

  • #1788 - Setting up new renewals using the Azure DNS plugin was broken in version 2.1.16, thanks @sokmunki for the report
  • Fix AppVeyor build script to actually publish the GoDaddy plugin 🤡, thanks for pointing that out @ChrisIsidora

Update

  • The GoDaddy plugin is temporarly unavailable due to users reporting issues, we are currently investigating and will update the release when the problems are ironed out.

v2.1.16 - Mar 14, 2021

New features

  • A new store plugin has been created for Azure KeyVault, which lets you store certificates there for easier access from the Microsoft cloud.
  • A new DNS validation plugin has been created for GoDaddy, thanks for the contribution @LuanNg!

Enhancements

  • #1771 - Improved handling of the scenario when an ACME server throws an error that requires user interaction, e.g. updated terms of service that need to be accepted, reported by @december1990 in response to such errors accidentally being triggered by ZeroSSL.
  • #1769 - Version checker will also provider user feedback when the latest version is running, thanks @Virinium for noticing.
  • #1779 - Improve labels in renewal manager, suggested by @zachol72
  • Update various NuGet packages to their latest versions, potentially fixing upstream bugs.
  • Various documentation improvements, e.g. #1740 by @PsychoData and #1780 by @uhlhosting

Bug fixes

  • #1773 - Interactive creation of certificates would crash with a wildcard binding present in IIS, thanks @dichternebel for the report!
  • Fix potential crash on systems without IIS.

v2.1.15 - Feb 21, 2021

New features

  • The program can now check for the availability of a new version, either from the "Extra options" menu, or automatically on every run by setting Client.VersionCheck to true in settings.json. This is disabled by default for privacy reasons.
  • The PemFiles store plugin can now optionally password-protect the -key.pem file. A default password can be set in settings.json and it can be specified on the command line via the --pemfilespassword

Enhancements

  • The TransIP-plugin can now be used from the command line using --transip-privatekeyfile or --transip-privatekey.
  • #1756 - To protect users from themselves, the CertificateStore plugin will now refuse to delete the previous version of the certificate from the store if it detects that it's still in use by IIS. This bites new users that manually bind the certificate to IIS instead of using the appropriate installation plugin. If the installation plugin is not chose, the certificate will still expire though.
  • #1761 - Sorting of bindings now happens in a DNS aware way instead of purely alphabetically, making it easier to find the binding(s) that you're looking for, thanks @jscarle for the idea.

Bug fixes

  • #1747 - Do not give a warning about an unhealthy task if the user includes --verbose in the arguments, thanks @tsimmons.
  • #1718 - Fix crash bugs on alternative ACME services (non-Let's Encrypt), thanks @Stan-Tastic and @Thomas-Stu for collabating on this.
  • #1749 - "Manual" renewals were not always properly imported from v1.9.x, discovered by @tommykoch.

v2.1.14.1 - Jan 10, 2021

Bug fixes

  • Fix bug #1738, thanks @ca7bc0c5f2

v2.1.14 - Jan 10, 2021

New features

  • #1719/#1730 - Add a command line option --setuptaskscheduler to forcibly (re)create the scheduled task and also force the (re)creation upon using the --import feature, requested by @xorinzor.

Enhancements

  • #1718 - Account creation code was refactored to enable fallback to a RS256 key if the server doesn't support using a ES256 key (which is in violation of the ACME RFC). Reported by @Stan-Tastic.
  • #1722 - Reduce timeout and attempt to resolve potential deadlock issue on the connectivity check that happens at initial startup (reported by @acanivano).
  • Add arm64 binaries to the build and release process, preparing for an eventual release of Windows Server on ARM.
  • #1708 - When pre-validation fails for the manual DNS plugin, the certificate creation process would be unable to proceed. Now instead the user is offered the option to retry, abort or igorne the error. Reported by @LeonardMichalas.

Bug fixes

  • #1690 - Fix yes/no prompts not working on remote terminals from Apple operating systems (macOS/iPadOS/iOS).
  • #1718 - Handle ACME servers that do not return a new nonce when reporting an error message.
  • #1732 - Fix typo reported by @Virinum.

Sponsors

This release was funded by

One gold sponsor:

  • Insurance Technology Services eGov Strategies

Two silver sponsors:

  • Insurance Technology Services Insurance Technology Services

And four bronze sponsors:

  • e-shop LTD
  • The Proof Group @proofgroup
  • imagenia.fr
  • Certify the web

Support

If you want professional support for win-acme, your company up here in the release notes, or just want to buy me (@WouterTinus) a beer for maintaining this tool, please sponsor using GitHub Sponsors, Patreon or PayPal.

v2.1.13.1 - Dec 07, 2020

Bug fixes

  • #1715 - Don't use quotes for working directory, thanks @bmasephol!

v2.1.13 - Dec 05, 2020

New features

  • A new setting allows you to specify the preferred root authority. On January 11th Let's Encrypt will switch over to their own root certifiticate which is not trusted by older Android versions and perhaps other (older) software. As a fallback, until September 30th it will still be possible to get certificates using the old root. In settings.json you can configure Acme.PreferredIssuer to be "ISRG Root X1" if you want to start testing with the new root today or "DST Root CA X3" to keep using the fallback as long as it will last.
  • A DNS validation plugin for Dutch hosting company TransIP is now available from the releases page. Note that this provider is not very fast updating its records after their API has accepted the changes, so it's highly recommended to roughly double either PreValidateDnsRetryCount and/or PreValidateDnsRetryInterval in settings.json.

Enhancements

  • The program is now built on .NET 5.0 instead of .NET Core 3.1. This should not have much user impact, but allows us to keep up to date with the latest Microsoft technologies and should solve some annoying issues like certain startup problems like #1632 reported by @MarcoMiltenburg.
  • The program will now refuse to start when it detects that another instance on the same machine is already working on the same configuration path. A warning will be logged when it detects that another instance is running for a different configuration path. Running multiple instances in parallel can cause issues in certain scenarios, for example when both try to make changes to IIS at the same time.
  • It's now possible to use plugins when using win-acme as a dotnet tool. To use them they need to be unpacked to %userprofile%\.dotnet\tools\.store\win-acme\{version}\win-acme\{version}\tools\net5.0\any. We realize this is not the most user friendly experience and might come up with better solutions in the future. Requested by @rprouse in #1691.
  • The path to the program used for a newly created scheduled task is now quoted when necessary, reported by @Phil-G in #1704.
  • An example PowerShell script to use win-acme for the Windows Admin Center was submitted by Matthew Barreiro, thanks!

Bug fixes

  • #1706 - Crash fix for the DigitalOcean plugin when using domain substitution for the acme-challenge subdomain. Thanks for the contribution @Skulblaka.
  • #1700 - It was not possible to use TLS-ALPN-01 validation from the command line, reported by @andrianovSupplerus.

v2.1.12 - Nov 02, 2020

New features

  • #1648 - This release adds update for ZeroSSL as a (free) alternative to Let's Encrypt, further broadening the range of service providers that win-acme can be used with. ZeroSSL account can be created using email signup, EAB credentials or an API key from an existing account. Requested by @trekmp.
  • #1684 - win-acme is now available as a .NET tool, so it can be installed or updated from the command line if you have .NET Core installed on your system using dotnet tool install win-acme --global. Note that it currently only works as a global tool and plugin support has not been tested yet. Idea from @jachin84.

Enhancements

  • Update various NuGet packages for upstream bugfixes
  • Update the Public Suffix List for uses that cannot download it dynamically each run
  • Add a random delay of 2 hours to the scheduled task to help alleviate potential performance issues for service providers. E.g. for new installs the scheduled task will run sometime beteen 9 am and 11 am. This does not affect existing installs and of course it is still configurable and customizable.
  • We now log if we're running as a 32 bit or a 64 bit build.
  • Add extra logging to track down possible bug #1678

Bug fixes

  • #1680 - Fixed a bug that caused partially validated orders to fail in multithreaded mode, reported by @alexhass.
  • Fixed a bug that caused multithreaded mode to be enabled by default for people upgrading from 2.1.8 or below
  • #1675 - @Skulblaka fixed a bug in the DigitalOcean plugin that allows it to validate sub domains, reported by @wsaca. Thanks both!
  • #1676 - Version 2.1.11 would exit the process with code -1 (error) if one or more renewals were not due, thanks @RealAmes for noticing!

v2.1.11 - Oct 02, 2020

Enhancements

  • #1659 - The --webroot argument can now be used to override the path read from an IIS target, suggested @Vershner
  • #1651 - Outgoing http requests now include a user-agent header, contributed by @monomosc
  • #1668 - grantemsley contributed an example script that updates the Azure AD Application Proxy
  • Log/print 64b or 32b builds at startup, along with the version information
  • More specific error messages for InvalidOperationExceptions
  • When a renewal fails, the exit code for the scheduled task no longer indicates success

Bug fixes

  • #1661 - The Digital Ocean plugin was missing RestSharp.dll in its package, thanks @viktor2097 for the report.
  • #1665 - Fix crash when the program is unable to place an order for whichever reason (e.g. invalid nonce, rate limit, etc.).
  • #1669 - Fix logic bug where folders are not cleaned up properly, thanks @Franciscorp
  • #1657 - Fix bug in DNS script validation reported by @belope
  • A validation failure would not be considered fatal in all cases, causing the program to unnecessarily try to continue

v2.1.10 - Aug 01, 2020

New features

  • #1565 - Added support for external account binding, meaning that an ACME registration can be linked to a pre-existing account created with the service provider. This can be used by the service provider to provide extra services which cannot be delivered to (semi)anonymous users, e.g. organisation validation or paid certificates. The ACME registration is linked to the external account by means of an HMAC key, which can be provided through the interactive menu upon first use of the service, or from the command line using --eab-key-identifier and --eab-key. Requested by @kgeis.
  • #1626 - Added a new DNS validation plugin for DigitalOcean, contributed by @Skulblaka.

Enhancements

  • #1485 - @InKahootz updated the Azure plugin to support alternative endpoints, e.g. to be able to use the Germany, US Goverment or China regions, but presumably this should also work for Azure Stack instances at various service providers.
  • Audun Skjelnes contributed an example script for KEMP Loadmaster.
  • When importing renewals from version 1.9.x, by default those will be configured to use both the PemFiles and the PfxFile store plugins to the certificate cache folder to make their behaviour more similar to that of the legacy release. This should make the upgrade experience smoother.
  • Only the most recent ten history entries will be displayed in the "Show details" menu of the renewal manager.
  • The process of writing renewals back to disk is now more reliable, due to a sanity check on the JSON serializer and working with a backup/replace mechanism instead of a direct overwrite of the previous file.
  • #1618 - When an error occurs early in the startup, the process doesn't immediately exit anymore, making errors messages like corrupted settings.json more easily visible to a user working from the Windows desktop.
  • #1628 - The PemFiles store plugin will now output an extra file that contains only the chain certificates, so excluding the actually issued certificate. This improves it's usefulness for some software like Apache Tomcat. Requested by @ShaynaFishman.

Bug fixes

  • #1533 - A bug introduced in version 2.1.9 caused the http-01 selfhosting validation to fail in certain conditions, thanks to @Gachpen, @mtnhomes and others for reporting this.
  • A bug introduced in version 2.1.9 caused only the first email address in the list to recieve notifications.
  • #1614 - Fix a crash when an acme-dns registration cannot be confirmed due to DNS failure, thanks to @LumKitty for the report.
  • #1620 - Fix a crash when using multiple store plugins of the same type, reported by @srishmawi.
  • #1625 - Fix an ugly warning message when trying to check if a non-existing folder is empty, reported by @djmcfar.
  • #1631 - Change the menu shortcut for "Analyze duplicate renewals" because it conflicted with "List all renewals", as noticed by @SistemasMabisy.
  • #1623 - Improve support for non-English languages, thanks @fatihkizmaz
  • #1623 - When providing invalid input for --installation, the error message would report a problem with --store instead.
  • Fix cache bug using DNS domain substitution (CNAME's) in multithreaded mode.

v2.1.9 - Jul 10, 2020

New features

  • Experimental: multithreaded validation. The most difficult part of ordering ACME certificates is to provide proof of ownership for the host name(s) that are to be included. The validation process can take a decent amount of time because services like Let's Encrypt have to be thorough to maintain the trust of the international community. For example, they examine the challenge answers from multiple locations around the world to ensure that some localized network level attack doesn't allow hackers to illegally obtain a certificate. There is nothing we can do to speed up a single validation, but for certificates with multiple host names, we can. We currently validate each host name in serial order, which means there is a lot of unnecessary waiting, because each validation is in theory completely independant of any others. Using the new DisableMultiThreading setting you can now opt in to parallel validation, meaning that your SAN certificates will validate much faster (the setting is named like that because multithreading should become the new default in a future release).
  • A similar new feature is batch preparation and cleanup which allows plugins to work more efficiently during the stages before and after validation. DNS validation plugins that want to support multithreaded validation need to be able to manage multiple active TXT records. In some cases it's possible to create and delete these records using a single call instead of one by one, providing an additional performance win. So far this has only been implemented for Azure plugin.

Enhancements

  • #1586 - Additional parameters have been made available for custom DNS validation script. Specifically there is {ZoneName} which is replaced with the registerable domain, and {NodeName} which is the part of the {RecordName} remaining after stripping off the registerable domain (or @ they are equal). Requested by @hlsantos.
  • #1602 - Searching by friendly name is no longer case sensitive, requested by @Smurgl

Bug fixes

  • #1567 - After sending an email, the connection with the SMTP server was not nicely closed, reported by @hlsanton
  • #1568 - We were a too strict on the ACME standard for DigiCert, reported by @Stan-tastic.
  • #1569 - Interactive mode now respects command line arguments as overrides for the global defaults, reported by @DamienLaw
  • #1578 - The Route53 plugin would crash when multiple zones have been configured for the same host name. It would also potentially attempt to update private zones, which are ignored now, reported by @tsimmons
  • #1591 - The default path setting for the PfxFile store plugin was not applied, reported by @cutig3r
  • #1593 - The scheduled task health check use case sensitive method of checking the path, reported by @CriteriaFirst
  • #1600 - Fix crash when IIS is detected in the registry but not actually installed, reported by @darkworks
  • #1603 - Fix mixup between CentralSsl path and PemFiles path introduces in 2.1.8, thanks @yndtrud
  • #1605 - Fix annoying "Invalid anti-replay nonce" bug - reported by @morhans and others.

v2.1.8.1 - Jun 03, 2020

Bugfixes

  • #1550 - Disable the order cache (introduced in version 2.1.6) because it could allow certificates to be installed without their private key in certain conditions, thanks @KevinMei-Github for the report! The order cache is non-essential feature designed to prevent users from hitting rate limits while testing or debugging. We will evaluate over the coming weeks whether to redesign or remove it.
  • #1558 - Fix edge case in DNS CNAME resolution where multiple hosts are valid to create TXT records, thanks @mohamed-shehata-m for the report!
  • #1509 - Improved reliabilty of creating new bindings in IIS, thanks @stevenbarker for the stack trace that led to this fix.

v2.1.8.838 - May 31, 2020

New features

  • #1555 - A new store plugin has been added which simply writes a .pfx file to a folder. This was previously possible using either the CentralSsl plugin or through an installation script, but this is more convenient and easily discovered for beginners. Suggested by @Dolphyn5.
  • New order plugins have been added to create seperate certificate for each registerable domain or IIS site covered by the renewal target. These should still be considered beta.
  • @FWest98 contributed an example script for updating AD FS services.

Enhancements

  • #1543 - It's now possible to configure store and installation plugins of the same type more than once, e.g. if you need to run two scripts or want to store your .pem files in two different locations.
  • #1551 - Email notifications now include log output, requested by @Virinum.
  • #1530 - When creating an IIS target it's no longer required to first pick "Choose specific bindings" from the menu and then type the indices of the bindings. You can now input the indices immedately. To facilitate this, the other filter options have been given letter shortcuts. Suggested by @BrianCanFixIT.
  • #1529 - Instead of only logging selected requests from AcmeSharpCore, now all http requests are logged to make debugging network level issues much easier. Suggested by @MasterChiefJon.
  • #1528 - When showing paged lists, space is now the shortcut for going to the next page instead of enter, meaning users will be much less like accidentally trigger the default menu option at the end of the list. Suggested by @BrianCanFixIT.
  • Improved feedback and logging on invalid command line input.
  • The recursive DNS resolver used for pre-validation is now more reliable when used with delated domains.
  • Wildcard bindings are no longer hidden "default settings" mode, because it's no longer hardwired to use HTTP-01 validation.
  • Updated NuGet package dependencies.
  • Better handling of file system permission issues.

Bug fixes

  • #1483/#1553 - Reliability improvement due to fixes for the single file application released by Microsoft in .NET Core SDK release 3.1.4.
  • #1524 - Route53 and Azure plugins could pick the wrong DNS zone to update if two zones overlapping names exist in the same resource group. Discovered and fixed by @rvdginste.
  • #1534 - The computer name would not show up in the email notification unless it was explicitly configured.
  • #1532 - Fix crash when creating a new binding with an IPv6 address, reported by @Conrad-T-Pino.
  • Azure DNS validation got various bug fixes for delegated domains.
  • The certificate cache was broken for multi-order renewals.
  • Enhanced/corrected various log messages.

v2.1.8 - May 31, 2020

New features

  • #1555 - A new store plugin has been added which simply writes a .pfx file to a folder. This was previously possible using either the CentralSsl plugin or through an installation script, but this is more convenient and easily discovered for beginners. Suggested by @Dolphyn5.
  • New order plugins have been added to create seperate certificate for each registerable domain or IIS site covered by the renewal target. These should still be considered beta.
  • @FWest98 contributed an example script for updating AD FS services.

Enhancements

  • #1543 - It's now possible to configure store and installation plugins of the same type more than once, e.g. if you need to run two scripts or want to store your .pem files in two different locations.
  • #1551 - Email notifications now include log output, requested by @Virinum.
  • #1530 - When creating an IIS target it's no longer required to first pick "Choose specific bindings" from the menu and then type the indices of the bindings. You can now input the indices immedately. To facilitate this, the other filter options have been given letter shortcuts. Suggested by @BrianCanFixIT.
  • #1529 - Instead of only logging selected requests from AcmeSharpCore, now all http requests are logged to make debugging network level issues much easier. Suggested by @MasterChiefJon.
  • #1528 - When showing paged lists, space is now the shortcut for going to the next page instead of enter, meaning users will be much less like accidentally trigger the default menu option at the end of the list. Suggested by @BrianCanFixIT.
  • Improved feedback and logging on invalid command line input.
  • The recursive DNS resolver used for pre-validation is now more reliable when used with delated domains.
  • Wildcard bindings are no longer hidden "default settings" mode, because it's no longer hardwired to use HTTP-01 validation.
  • Updated NuGet package dependencies.
  • Better handling of file system permission issues.

Bug fixes

  • #1483/#1553 - Reliability improvement due to fixes for the single file application released by Microsoft in .NET Core SDK release 3.1.4.
  • #1524 - Route53 and Azure plugins could pick the wrong DNS zone to update if two zones overlapping names exist in the same resource group. Discovered and fixed by @rvdginste.
  • #1534 - The computer name would not show up in the email notification unless it was explicitly configured.
  • #1532 - Fix crash when creating a new binding with an IPv6 address, reported by @Conrad-T-Pino.
  • Azure DNS validation got various bug fixes for delegated domains (TTL decrease and creation of @ records).
  • The certificate cache was broken for multi-order renewals.
  • Enhanced/corrected various log messages.
  • Don't continue renewal process after one of the validations has failed.
  • Don't continue validation process when no matching DNS zone can be found in Azure or AWS.

v2.1.7 - May 02, 2020

Architecture

This release expands the conceptual framework of the program with a new class of plugins. Until now, if you manage lots of bindings in IIS, you only have roughly two options to make sure they are all accessible through https.

  1. Set up a renewal for all bindings. This works but is not a great solution, because you may run into limitations of the ACME server (i.e. the 100 domain limit for Let Encrypt) and it's not adhering to best practices of operational security, because you are disclosing the existance of all other hosts on the server through the certificate shared by each of them.
  2. Diligently manage the renewals, adding, updating and cancelling them whenever something changes in IIS.

While we have strived to make this (micro)management easier over the years, I felt that there should be a fundamentally better way. So this release introduces the concept of an "order plugin", which allows multiple certificates to be created and installed from a single renewal.

For now there are two of the plugins, the default and backwards compatible single plugin is there to make sure that nothing changes for those upgrading. The host plugin creates a seperate certificate for each host. This should be considered beta and is accessible from the command line only by adding --order host at startup when you create a certificate. Future releases will add additional options (e.g. a site plugin to create a certificate for each site) and finetuning based on user feedback.

New features

  • #1479 - It's now possible to customized the default plugin for each of the six stages through settings.json. The old "simple mode" has been renamed to "default settings" mode to reflect this. Requested by @michaelsmoody.
  • #1514 - @albertofustinoni contributed a validation plugin for LuaDNS

Enhancements

  • #1481 - The http-01 selfhosting plugin may now be configured to listen to https requests using the --validationprotocol switch. Note that Let's Encrypt will always use plain http and port 80, so this is only useful when those requests are being redirected. Requested by @michaelsmoody.
  • #1490 - You may now customize the computer name reported in email notifications. The computer name is also added to the subject so that it's easier for those managing multiple servers with win-acme. Requested by @jon-f-novastor.

Bug fixes

  • #1448 - ACME protocol technicalities. Thought to be fixed in 2.1.6 already but not built correctly
  • #1487 - The --force switch was broken in 2.1.6, reported by @jon-f-novastore.
  • #1492 - Azure and Route53 plugins ignored proxy configuration. Reported by @wesochuck.
  • #1503 - When configuration was decrypted, private keys stored for the --reuse-privatekey parameter became inaccessible and new keys were generated. Discovered by @Virinum!
  • #1509 - Fix crash on corrupted IIS binding (missing certificate). Reported by @djgamerr.

v2.1.6.773 - Apr 01, 2020

Bug fixes

  • #1475 - Improved log messages around domain substition, spotted by @Virinum
  • #1476 - Emtpy "From" header in email notifications, also first reported by @Virinum

v2.1.6.768 - Mar 29, 2020

New features

  • #1466 - The program now supports the use of substitute domains for DNS validation. If your goal is to get a certificate for example.com using DNS validation, but the DNS provider for that domain does not support automation and/or your security policy doesn't allow third party tools like win-acme to access the DNS configuration, then you can set up a CNAME from _acme-challenge.example.com to another (sub)domain under your control that doesn't have these limitations. acme-dns (which we also support) is based on this principle, but now the same trick can be applied to any of the DNS plugins, meaning it can be done for Azure, Route53, Cloudflare, Dreamhost and your own scripts. The program will automatically recognize that you've created a CNAME and instruct the plugin to act accordingly.

Enhancements

  • #1435 - It's now possible to get the friendly name and thumbprint of the previously issued certificate as parameters to the script installation plugin. Contributed by @Jaecen, thanks!
  • #1437 - We have implemented MailKit to enable support for mail servers that offer implicit TLS (typically on port 465). Previously only servers with explicit TLS (typically port on 587) were supported. Thanks @ktoonsez for bringing this to our attention.
  • #1441 - Increased default timeout waiting for ACME server to validate domains and create certificates from ~30 seconds to ~90 seconds. This gives Let's Encrypt and other services more time to do thourough validation. Note that due to the way settings are implemented, the new defaults don't automatically apply to existing installs. If you are faced with this issue please update your settings.json manually.
  • #1445 - The IIS FTP installation plugin now also checks and updates the default FTP site settings in IIS, requested by @medialabs-at. Note that it is still not possible to set up a new certificate directly targeting those settings, but they will be updated if the previous certificate has been manually linked there.
  • #1459 - For a long time the program has cached issued certificates for each renewal in order to a) provide additional information to the installation steps and b) prevent users from running into rate limits while experimenting with the program. Due to recent changes the latter use became mostly broken. Version 2.1.6 therefor implements a new order cache that works as an extra layer on top of the certificate cache and thus protects users from running in to rate limits even when creating new renewals. Among others this was noted by @barrar.
  • #1364 - Solve warning in Cloudflare plugin and improved error messages, thanks to @georg-jung for contributing!

Bug fixes

  • #1431 - Improved parsing of common name, reported by @los93sol
  • #1434 - --baseuri can now be a direct link to the ACME service directory, we no longer assume that the directory lives under {baseuri}/directory, reported by @Stan-Tastic in regards to DigiCert ACME services
  • #1448 - Accept HTTP status 201 as a valid answer in response to the finalizeOrder call. Encountered in the Nexus ACME tooling and not expressly forbidded by the RFC. Reported by @oregano87, thanks!
  • #1447 - @oregano87 spotted an issue that caused the renewal setup process to continue even though a fatal error has been encountered in setting up the acme-dns registration.
  • #1460 - Preliminary validation would potentially not see the correct TXT record when multiple records are present on the same host, cause it to mistakenly report an error, thanks @lazzaronetu for getting us on the scent of that issue.
  • #1473 - Cancelling the certificate creation process in --test mode would incorrecly prompt the user that the process has failed. It will now report that the process has been aborted.

Sponsors

This release was funded by

One gold sponsor:

  • Insurance Technology Services eGov Strategies

One silver sponsor:

  • Insurance Technology Services Insurance Technology Services

And three bronze sponsors:

  • e-shop LTD
  • The Proof Group @proofgroup
  • imagenia.fr

Support

If you want professional support for win-acme, your company up here in the release notes, or just want to buy me (@WouterTinus) a beer for maintaining this tool, please check out my Patreon page.

v2.1.5 - Mar 01, 2020

New features

  • For those who hadn't noticed yet, we have moved to our own Github organisation and our own domain name https://win-acme.com/
  • Renewal management now offers a feature that analyzes your renewals and tells you when you have multiple renewals set up for the same host names and/or IIS websites, which can be the reason for any number of unexpected behaviours.

Enhancements

  • The renewal management menu now provides quick access to a specific renewal by letting you type one or more numbers directly after entering the menu instead of having to through filters to achieve a simple selection.
  • #1397 - More specific reasons specified for disabled menu options, instead of only the general suggestion to try running as an administrator.
  • Additional verbose logging messages added around the order and authorization steps, removed message about renewals not currently due from the Windows Event Viewer.
  • Do not crash at first time startup when unable to create settings.json (e.g. due to not having write access to the program folder when running as non-admin), instead use settings_default.json
  • #1409 - Show a friendly and useful error message when settings.json contains invalid json, thanks for the report @LBegnaud
  • In some cases (e.g. when using the Central Certificate Store) the program would call CommitChanges to the IIS Manager when no changes were actually made
  • Performance improvements
    • #1410 - Better choice of data structures and simple caching mechanisms allows for much fewer and faster scanning of IIS bindings, tested with help of @Levan777.
    • #1407 - When deleting instances of the old certificate from the Central Certificate Store, we no longer scan all files in the folder, but only those potentially matching based on the old certificates' known host names, thanks for bringing this to our attention @redjockey!
  • Exceptions happening while writing theweb.config file during HTTP-01 validation are no longer fatal but treated as warnings.
  • Increase default file log retention from 31 days to 120 days (covering a certificates complete 90 day validity period plus a 30 days buffer).

Bug fixes

  • #1399 - Fix a bug where the program would be unable to continue past the authorization stage if there is a pre-existing valid authorization, but the renewal is re-configured with a different validation method and started using the --force switch, thanks for @henrywol and @cpu for help figuring this out.
  • #1414 - The Try in default browser? question in --test mode caused a crash when answered with y, reported by @Valleriani
  • #1416 - In the menu Encrypt/decrypt configuration the path to the configuration file shown was incorrect.
  • In some specific circumstances when host names are configured in MiXeD cAsE, the program would get confused and attempt to create a duplicate binding in IIS.
  • The Run scheduled renewals option in the main menu is no longer disabled when no renewals are due, allowing users to run renewals that are due prematurely due to target changes.
  • Renewals created with the legacy IISBinding, IISSite and IISSites target plugins would show duplicate values in the Show details for renewal menu options.
  • When unable to connect to the ACME service using operating system defaults for connection security, retry with TLS 1.2 forced. If that works, keep enforcing TLS 1.2 across all outgoing HTTP connections.
  • The CleanUp function of the validation plugin would not be called in all scenarios, potentially leaving certain resources in use when they're not needed anymore.

v2.1.4 - Feb 04, 2020

New features

In our quest to make the program simpler and more powerful at the same time, we've optimized the main menu so that it shows less options to confuse people and more information that administrators are likely to want to see, i.e. the total number of renewals managed, due and in error state.

The renewal management options have been placed in a new section that allows you to sort and filter renewals and apply the actions Run, Cancel, Revoke and Show details on them. The selection is remembered until you leave the management menu, so you can easily apply multiple actions on the same set of renewals. Future updates will increase the number of sorters, filters and actions, please feel free to provide ideas!

Enhancements

  • #1360 - It's now possible to skip the store step using the menu or command line (--store none), for scenarios where you fully want to rely on your custom installation script. Thanks @andrewheberle for the idea.
  • Added an example script that shows how to create or update a Java Key Store (.jks) file using a custom installation script.
  • If we are unable to verify the acme-dns configuration, the validation attempt will continue (with a warning logged) instead of fail, so that we don't block users with environments that make it difficult or impossible to verify the DNS records.
  • #1374 - It's now possible to revoke certificates in unatteded mode using the new --revoke parameter. Proposed by @Micrologiciel.
  • Increase default timeout for requests to the ACME server from 8 seconds to 25 seconds, to be more tolerant to load issues and network timeouts.
  • #1382 - Importing renewals from version 1.9.x has become more user friendly. The program provides more feedback about the proces and ensures the existance of an ACMEv2 account, which was the reason some users got stuck running their scheduled task. The documentation around this has also been clarified. Thanks to several users for sharing their experiences.
  • When revoking or cancelling renewals from the command line, it's not possible to use patterns with ? and * to match multiple renewals.
  • A basic connectivity check to the ACME server is run at startup to prevent surprises during renewal execution.

Bug fixes

  • #1109 - Fix an issue that could cause DNS pre-validation to fail with certain DNS servers, thanks @ericcan for providing a reproducable example case.
  • #1366 - The Cloudflare plugin would not properly delete te TXT records it created, thanks @georg-jung for the fix and @Virinum for the report!
  • #1371 - The --friendlyname parameter was ignored. First discoverd by @movieghost.
  • #1389 - Fix Powershell 2.0 process hanging, reported by @hkmaverick

v2.0.11.705 - Feb 04, 2020

Caution - this is NOT a general release

See release notes above.

This is release is meant for Windows 2008 users who are unable to run the latest 2.1.x versions, but are forced to upgrade before November because Let's Encrypt will require POST-as-GET from that time. It lacks many bug fixes and quality of life improvements that were implemented in recent versions of the software. See this issue for more information: #1358.

To support Windows 2008 we have had to down-target from .NET Framework 4.7.2 to .NET Framework 4.6.1, which (for some very annoying technical reasons - https://github.com/dotnet/standard/issues/567) means that we are not able to re-use accounts created using previous 2.0.x release. If you're upgrading from 2.0.x to 2.0.11, you therefor have to delete Registration_v2 and Signer_v2 from your ConfigurationPath.

This does not apply to users migrating from 1.9.x, they will create a new account at the ACMEv2 server anyway.

v2.0.11 - Feb 02, 2020

See release notes above.

v2.1.3.671 - Jan 18, 2020

Bug fixes

  • #1361 - Revert back to the old color scheme on Windows version before 10 / Server 2016

v2.1.3.669 - Jan 16, 2020

New features

  • #1337 - @georg-jung was so kind to contribute a DNS validation plugin for Cloudflare, which is now available as an extra download just like the Route53 and Azure plugins.

Enhancements

  • As per best practices, the versions of the TLS protocol supported are left to be determined by the operating system, for better forwards and backwards compatibility.
  • Some progress has been made to enable integration testing, paving the way for future quality improvements
  • #1348 - Re-balanced auto-generated friendy names for certificates generated with the IIS plugin, to be more recognizable and potentially less long.
  • acme-dns configuration may now be stored in the main configuration folder instead of a subfolder, making it default behaviour to share registrations between different ACME endpoints.
  • Improved caching of DNS lookup clients and resolving work, saving a little bit of time and memory.
  • Logging
    • Exception stack traces and severity levels are not shown unless running with --verbose
    • A new color scheme is used.
    • Warnings and errors are logged to disk as well
    • #1339 - We now log the command line arguments at startup for future reference, requested by @AGlezB
    • #1339 - The process identifier has been made available for custom logging, also requested by @AGlezB
    • #1345 - Improved error handling for invalid/empty targets, which turned out to be unclear, reported by @busitech
    • When using a custom logging path, a sub folder will be created for each ACME endpoint, as it effectively works with default logging.
  • Documentation
    • #1353 - Documentation around Microsoft Azure improved, thanks for the heads up @Mahdi-GoVanguard.
    • #1334 - Documentation about self-hosting plugin improved.
    • Example for custom logging with serilog.config added
    • #1344 - Broken link found by @stevenmyhre
    • #1345 - Improved documentation around RDS

Bug fixes

  • #1285 - @pelnarp discovered an issue that could cause an unattened run to get stuck waiting for user input if the scheduled task is not healthy.
  • #1333 - Recent versions of Windows introduced several new binding flags in IIS, i.e. - Disable TLS 1.3 over TCP - Disable Legacy TLS - Disable OCSP Stapling - Disable QUIC - Disable HTTP/2 Unfortunately these were not properly handled by the program during renewals, causing the flags to be unset after each certificate update. Thanks @brunotl for the report!
  • #1336 - In environments with restricted access to DNS, prevalidation and acme-dns configuration validation could fail, thanks @LumKitty for the report.
  • #1338 - @dahanc fixed a bug in the path name cleaning which could cause exceptions when using specific endpoints for ACME or acme-dns.
  • #1342 - @mahrmediait reported that a .dll was missing from the Azure plugin package.
  • #1330/#1346 - After upgrading from 2.x to version 2.1.2, all renewals would be due because of a backwards compatibility issue in the certificate caching mechanism. Discoverd by @Virinum and @Micrologiciel.
  • #1347 - The certificate chain was not included in the .pfx files generated for the IIS Central Certificate Store, reported by @art-b-d
  • #1350 - The program no longer stops the renewal if it's unable to write an intermediate certificate to the store. It will attempt to fall back to the user-configured store if it's unable to open the system store.

v2.1.2.641 - Dec 19, 2019

New features

  • #1269 - Inspired by an initial idea and PR by @olivermue, this release introduces a new IIS target plugin that superseeds the three different ones that have existed since the dawn of this programs existance (i.e. Single binding of an IIS website, All bindings of an IIS website and All bindings of multiple IIS websites). There were three important goals that have been achieved with this new plugin:
    • Fully backwards compatible. Existing renewals and command line parameters work exactly like before.
    • More user-friendly. Simple mode got easier because users are not immediately confronted with the concept of a "target plugin", and generally the interface got a lot of touches that should help setting up certificates, for example the idea proposed by @MarcoMiltenburg in #1297.
    • More powerful. Instead of "hard-coding" a set of bindings to build a certificate for, it's now possible to use pattern matching and even regular expressions to create dynamic renewals.
  • #1074 - It's now possible to use the acl-fullcontrol specify a list of users or groups that should get full permissions on the private key in the Windows Certificate Store. This is of particular interest to Microsoft Exchange admins, because the installation of cumulative updates might fail without these permissions properly configured. The documentation about Exchange has been updated to reflect this. First reported by @janwerner.
  • #1309 - It's now possible to connect to an acme-dns endpoint using basic authentication. Requested by @LumKitty.

Enhancements

  • #1296 - Handling of the certificate chain has been much improved. It should now work reliably for an arbitrary number of intermediate certificates and no longer depends on Windows to build chains, so there is no more confusion when an older intermediate certificate is still present on the system. Brought to our attention by @hb220.
  • #1283 - The program has become slighty more pro-active about creating and updating bindings during initial setup of a new certificate, specifically to accomodate the scenario where IPv4- and IPv6-specific bindings are present on the same website. Reported by @MarcoMiltenburg.
  • #1294/#1317 - The handling of the Public Suffix List had some problems discoverd by @lukefoley and @hanschou. It has been improved in three ways. First, there is now a static version redistributed with the application, so that in highly secured environments it's not neccesary to open up another connection. Secondly, the proxy settings are now applied during the download. Lastly, the program creates a cached version in its own configuration folder that remains valid for 30 days to improve startup times.
  • Terms of service are now logged and saved to disk even when they have been "pre-accepted" from the command line, just for future reference.
  • Runtime upgraded from .NET Core 3.0 to 3.1

Bug fixes

  • #1321 - The program could crash for a first-time user when not running as Administrator, due to being unable to create a category in the Windows Event Viewer. Reported bY @439bananas and others.
  • #1277 - The program could crash in some cases when redirecting console output.
  • #1298 - When changing (properties of) the CSR, for example when switching from RSA to EC keys, the internal certificate cache would not be invalidated, leading to an unexpected and unwanted delay in the application of the change. Reported by @MarcoMiltenburg.
  • #1305 - @mindstormsking discovered that settings.config incorrectly contained a "ConfigPath" setting which is supposed to be "ConfigurationPath".
  • #1319/#1320 - Fixed a pair of bugs reported by @oregano87 that didn't get triggered by Let's Encrypt but were in violation of the ACME standard.
  • Import from 1.9.x still had some issues even after the previous fix in version 2.1.1, should be 100% again now.
  • Various possible null reference problems fixed using C# 8.0 Nullable Reference Types

2.1.2.636

Fixes two bugs discovered in the initial 2.1.2 release: #1326 and #1327. Thanks @TylerMitton and @randomevents!

2.1.2.641

Fixes another bug discovered in the initial 2.1.2 release: #1330. Thanks @Virinium.

v2.1.2.636 - Dec 17, 2019

See release notes above.

v2.1.2.628 - Dec 16, 2019

See release notes above.

Library Stats (Oct 12, 2021)

Subscribers: 197
Stars: 4.2K
Forks: 702
Issues: 30

csharp-data-visualization

I've always wanted to learn how to visualize data in C#

csharp-data-visualization

Video-Games-using-CSharp

contains video games I created using C# in Windows Forms Application

Video-Games-using-CSharp

C Sharp Helper Methods

Bu bir Windows Form uygulamasıdır ve içerisinde genel olarak ERP projelerinde sıkça kullanılabilecek bazı metotları ve kullanımlarını içermektedir

C Sharp Helper Methods

CSharp-Collection

Challenges, projects, educational files

CSharp-Collection

CSharp_Veri_Tipleri

byte, sbyte, short, ushort, int, uint, long, ulong, decimal, bool, char, string, var, object veri tipleri incelenmistir

CSharp_Veri_Tipleri

CSharp-CodeSnippet

Wide variety of sample code snippets from the topics related in C#

CSharp-CodeSnippet

csharp-aspnet-microservices

Course on building microservices on

csharp-aspnet-microservices

CSharp &quot;C#&quot; WAVE &quot;

Parses the audio data and the format chunk info from a WAVE-Format audio file &quot;

CSharp &quot;C#&quot; WAVE &quot;

CSharp-SMTP-Server

Simple (receive only) SMTP server library for C#

CSharp-SMTP-Server