Open walispeed opened 4 years ago
aloopkin
commented
4 years ago when WinCertes creates a new binding, it creates it under port 443. however, if the binding already exists, WinCertes uses the existing settings to bind the certificate to it. So if you can create the bindings (with your custom port) manually before issuing, WinCertes will handle correctly the binding during issuance and renewal.
is this an acceptable work-around for you?
walispeed
commented
4 years ago thank you for your swift feedback. So you mean, the certificate should have been initially created by wincertes to handle the binding to the specific port in renewal action ?
Our use case here is that we have several certificates expiring soon but created in another way. My expectation is that, after installing & configuring wincertes, wincertes is able to renew IIS bindings of the old certificate, am I wrong ?
walispeed
commented
4 years ago sorry wrong action
aloopkin
commented
4 years ago Provided that you have one binding per hostname contained in the certificate, yes WinCertes will reuse existing bindings, including the "exotic" port, and just renew the certificate.
walispeed
commented
4 years ago hostname for that binding was not set as it is used internally. I setup it and tried but a different behavior pop up, look below the log :
2020-06-09 16:14:17.4584|INFO|Retrieved certificate from the CA. The certificate is in C:\ProgramData\WinCertes\CertsTmp\06752694-9950-47a0-84f6-ce4ff768148a.pfx 2020-06-09 16:14:17.5053|INFO|Stored certificate with DN CN=gdc03152.swatchgroup.net into Windows Personal Local Machine store 2020-06-09 16:14:17.6303|ERROR|Could not bind certificate to site WFhub: A specified logon session does not exist. It may already have been terminated System.ComponentModel.Win32Exception (0x80004005): A specified logon session does not exist. It may already have been terminated at Microsoft.Web.Management.Utility.HttpApiWrapper.CreateSSLBinding(IPEndPoint endPoint, String hostName, HTTP_SERVICE_CONFIG_SSL_PARAM_MANAGED allSSLData, SslFlags sslFlags) at Microsoft.Web.Administration.BindingManager.BindingTransaction.Commit() at Microsoft.Web.Administration.BindingManager.Save() at Microsoft.Web.Administration.ServerManager.CommitChanges() at WinCertes.Utils.BindCertificateForIISSite(X509Certificate2 certificate, String siteName) 2020-06-09 16:14:17.7240|INFO|Scheduled Task "WinCertes - gdc03152swatchgr" created successfully
As certificate is created, I can assign it afterward manually to the website
do you have any clue ? site is up and running. Active directory are reachable.
walispeed
commented
4 years ago Hi Community, Don't you have then any clue on what's happening above ? :(
aloopkin
commented
4 years ago are you connected with local admin or domain admin? what is the status of the following policy (GPO/LPO)? Network access: Do not allow storage of passwords and credentials for network authentication
walispeed
commented
4 years ago I'm executing command with domain account in local admin group. Network access: Do not allow storage of passwords and credentials for network authentication is disabled by default
I tried to enable it but I receive the same message.
are you forcing lower case ? is it case sensitive ? in my case, tested on 2 servers, 1 of them has SAN in lower case, cannot do the IIS binding by itself the other one binds properly except that :
Is there any way to specify a different port for IIS binding ? by default, winCertes created a new binding with 443. But my application is running under another one.
thank you for your feedback