Update IIS bindings in standalone mode

[Stan-Tastic]

As far as I understand, WinCertes is able to update IIS bindings provided that it uses IIS HTTP-01 validation mode. However, I have an IIS server that does a bunch of shenanigans (like ADFS redirects), and Wincertes fails validation:

Failed to register and validate order with CA: Could not validate HTTP challenge: Multiple errors occured. See sub problems

(by the way, is it possible to enable some verbose mode? I could not find how)

With --standalone, tested on port 55555 (setup on Keyon ACME server) all goes fine: Generated orders and validated challenges for domains:

However, I have to manually update bindings in IIS (and I guess this will be necessary on every renewal). Would it be possible to streamline that?

[aloopkin]

IIS bindings update should be completely independant from the validation mode (HTTP-01 webroot, HTTP-01 standalone, or DNS-01).

Could you please provide the error logs ?

BTW, verbose mode is performed by using the -Debug version of the MSI, and logs are in %programdata%/wincertes

[Stan-Tastic]

There was not much regarding debug, but I think I know what's wrong. Few issues, actually (let me know if you want me to create separate tickets for each:

1. If I first obtain the certificate without -b option specified, and then re-run wincertes with -b option, the binding will not get updated (the certificate is already issued, and it seems that wincertes just quits without checking if the binding is active.

2. If there is more than 1 SSL binding for a website (e.g. different ports), only the first one is updated with new certificate.

3. I haven't tested this: I noticed that the Task Scheduler item is created with just -d option. I assume this means the rest of settings are taken from saved state (as can be seen with wincertes --show). However, binding is a saved option, while the domain is not - so what will happen if my webserver have "n" different sites (n>1), with a separate certificate for each of them? How will wincertes "know" which binding to update? Is it even possible to get different certs for different sites on the same IIS installation?

[aloopkin]

1. that's correct, but it's the intended behaviour: wincertes is first of all an ACME client, not an IIS cert manager. work-around is very simple: handle the binding manually.
2. upon renewal all bindings should be updated, provided that the website was correctly provided using -b switch, and all bindings belong to the same website
3. what you're looking for is the --extra option, that allows to manage several website separately (providing a -b for each)

[Stan-Tastic]

Ad.1. Fair enough, although I think this would improve usability. Ad.2. Can you please elaborate on logic used by the software to update bindings? Ad.3. Thanks, I'll try that.

[aloopkin]

The logic for the IIS bindings is the following, executed after the certificate has been issued from the ACME server:

• list all the SubjectAlternativeNames in the certificate, and for each of them:
  • for the website whose name is given by the "-b" switch, list the existing https bindings:
  • if there is none, create one with port 443
  • if there are bindings, update them using the new certificate

So if you want to listen on non-standard port, execute first WinCertes and let it do the bindings by default, and then change the configuration to the desired ports, and/or add bindings for desired SANs/ports. Upon renewal the bindings will be updated automatically using the new settings.