Fails to bind new certificate to website

[nmelay]

Describe the bug WinCertes 1.4.3 correctly obtains a new certificate from LE, and puts it in the certificate store, but fails to bind it to the website. This seems to be caused by the presence of a specific certificate in the LM store, with empty Subject and SAN fields.

To Reproduce Steps to reproduce the behavior:

1. Run wincertes -e <email> -d <fqdn> -b <iiswebsite> -a -p
2. See the error show up on console and in logfile
3. Check that the new certificate was NOT bound to the IIS website

Expected behavior LE certificate should end up being bound to the IIS website whatever other certificates are present in the certificate store.

Screenshots or Logs Console

PS C:\Windows\system32> wincertes -e <email> -d <fqdn> -b <iiswebsite> -p -a
Generated orders and validated challenges for domains: <fqdn>
Retrieved certificate from the CA. The certificate is in C:\ProgramData\WinCertes\CertsTmp\8853cfa7-9a4a-40b4-b5e0-4ccb3
6f13972.pfx
Stored certificate with DN CN=<fqdn> into Windows Personal Local Machine store
Could not bind certificate to site <iiswebsite>: La référence d'objet n'est pas définie à une instance d'un objet.
Scheduled Task "WinCertes - <iiswebsite>" created successfully
Removed files from filesystem: C:\ProgramData\WinCertes\CertsTmp\8853cfa7-9a4a-40b4-b5e0-4ccb36f13972.pfx, C:\ProgramDat
a\WinCertes\CertsTmp\8853cfa7-9a4a-40b4-b5e0-4ccb36f13972.cer, C:\ProgramData\WinCertes\CertsTmp\8853cfa7-9a4a-40b4-b5e0
-4ccb36f13972.key
PS C:\Windows\system32> wincertes --show
Service URI:    https://acme-v02.api.letsencrypt.org/directory
Account Email:  <email>
Registered:     yes
Auth. Mode:     http-01 validation standalone
HTTP Port:      80
IIS Bind Name:  <iiswebsite>
Import in CSP:  yes
PS Script File: none
Renewal Delay:  30 days
Task Scheduled: yes
Cert Enrolled:  yes
PS C:\Windows\system32> dir Cert:\LocalMachine\My

   PSParentPath : Microsoft.PowerShell.Security\Certificate::LocalMachine\My

Thumbprint                                Subject
----------                                -------
FC047E4FE6A903B37D0BA8061CAD17DEB8D4D6AB  CN=<fqdn>
5F6B8BE841929028CC8E35D629190FA3EF1C5043  CN=<fqdn>
53A5F2B4686376006C1BDD97B8AA419CF379DA3B

PS C:\Windows\system32>

Log file

2022-01-12 18:51:19.4175|INFO|Successfully registered account <email> with certificate authority https://acme-v02.api.letsencrypt.org/directory
2022-01-12 18:51:19.5112|INFO|Please check the ACME Service ToS at: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
2022-01-12 18:51:51.1209|INFO|Generated orders and validated challenges for domains: <fqdn>
2022-01-12 18:51:55.0740|INFO|Retrieved certificate from the CA. The certificate is in C:\ProgramData\WinCertes\CertsTmp\8853cfa7-9a4a-40b4-b5e0-4ccb36f13972.pfx
2022-01-12 18:51:55.0896|INFO|Stored certificate with DN CN=<fqdn> into Windows Personal Local Machine store
2022-01-12 18:51:55.1990|ERROR|Could not bind certificate to site <iiswebsite>: La référence d'objet n'est pas définie à une instance d'un objet.
System.NullReferenceException: La référence d'objet n'est pas définie à une instance d'un objet.
   à WinCertes.Utils.<>c.<ParseSubjectAlternativeName>b__3_0(X509Extension n)
   à System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   à System.Linq.Enumerable.FirstOrDefault[TSource](IEnumerable`1 source)
   à WinCertes.Utils.ParseSubjectAlternativeName(X509Certificate2 cert)
   à WinCertes.Utils.BindCertificateForIISSite(X509Certificate2 certificate, String siteName)
2022-01-12 18:51:55.4646|INFO|Scheduled Task "WinCertes - <iiswebsite>" created successfully
2022-01-12 18:51:55.4646|INFO|Removed files from filesystem: C:\ProgramData\WinCertes\CertsTmp\8853cfa7-9a4a-40b4-b5e0-4ccb36f13972.pfx, C:\ProgramData\WinCertes\CertsTmp\8853cfa7-9a4a-40b4-b5e0-4ccb36f13972.cer, C:\ProgramData\WinCertes\CertsTmp\8853cfa7-9a4a-40b4-b5e0-4ccb36f13972.key

Desktop:

• OS: Windows Server
• Version: 2012 R2

Additional context SAN-less certificate is a machine certificate, somehow automatically generated and renewed by AD CS in this environment.

[aloopkin]

Hello,

Could you please upload the suspicious certificate? Maybe simply copy-paste it as PEM (Base64 encoded) The error is in Linq, meaning i should probably add extra controls, but it's hard to understand what makes Linq choke without having the cert.

[nmelay]

Hello Alexandre,

Sure, here it is.

-----BEGIN CERTIFICATE-----
MIIFZzCCBE+gAwIBAgITKwAABQ7YxZw51ggzSwABAAAFDjANBgkqhkiG9w0BAQsF
ADBRMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFgltYW5o
YXR0YW4xHTAbBgNVBAMTFG1hbmhhdHRhbi1hcmttZW5hLWNhMB4XDTIyMDExMjIx
NTE1NFoXDTIzMDExMjIxNTE1NFowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAM13QWB3Fkyy/1/oF6nBRj08vXq49UVBGIur/qz0RpkmpxoNblarGcUa
AJZ1wh6CxzjLHY9g64dyxrCrC1E6IA9qjQr36IbhDuQJp+0chTFeKW6y74eOovtQ
hz60dHPvRTLTzT1cn1JlpqpIZoGaFp6UOINRiNSoU5CC2W1NoJte6e+82PzGC0ZK
h5ak85uf0cKaXCVMTeGLx2qFWPX5vxsRSNorYhE/0jGUBJcq8UMpfr23JNywaefr
TY2Bt0i4MbKi6MJym0cN/kP4XfmfcBm1h1s5vdcEIeSN1sq4ziy4tkAhsPDqFUbi
kZz1E9IvUUa+GIMlBBgx52JyWveIBJMCAwEAAaOCAocwggKDMDgGCSsGAQQBgjcV
BwQrMCkGISsGAQQBgjcVCIG/iVmD8rQzg5WHMoWXtCeF/bkKgUIBHgIBZQIBAzAT
BgNVHSUEDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwGwYJKwYBBAGCNxUK
BA4wDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQUDzSzwf/AvPEUrkgGCrFvJcZVy48w
HwYDVR0jBBgwFoAU7+hJ/RoM33ctbmxRaOU6TLxQ9qAwgdQGA1UdHwSBzDCByTCB
xqCBw6CBwIaBvWxkYXA6Ly8vQ049bWFuaGF0dGFuLWFya21lbmEtY2EsQ049VEFL
RUwsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2Vz
LENOPUNvbmZpZ3VyYXRpb24sREM9bWFuaGF0dGFuLERDPWxvY2FsP2NlcnRpZmlj
YXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRp
b25Qb2ludDCBygYIKwYBBQUHAQEEgb0wgbowgbcGCCsGAQUFBzAChoGqbGRhcDov
Ly9DTj1tYW5oYXR0YW4tYXJrbWVuYS1jYSxDTj1BSUEsQ049UHVibGljJTIwS2V5
JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1tYW5o
YXR0YW4sREM9bG9jYWw/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNl
cnRpZmljYXRpb25BdXRob3JpdHkwIQYDVR0RAQH/BBcwFYITT01VLm1hbmhhdHRh
bi5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAQEAn8lkhXRY1CYt51R22u549tcZT8EG
GSlkhk8F/B0k4XxuinR+9M6ebRSjF1kvmFSe8kGvMzmOCkCd53XhekumOOoMV0YP
Rk2M84G1YJU0ms6NDbHCTD9ZFoh0oytfe5seurg1N8A97tNYBUBlsFlbZVUg3cZT
aZdt2oxBjkJy9JyiW2G9gQ78UnUrN0KVLdHWm1O2p3YjFBTZNTPmmhEIlmOfx1Or
LR7HDZcAJMxijQ7ntBhi2dXfSf3nTbinnxt+T4qZT/iOQzhZeavPGqvbm20OZtdw
aTQ/j0Rw53Ax1oj6uHSP9aK18QTIlR5kzMiAQ0eEw9NEbglE6Y5smpJdug==
-----END CERTIFICATE-----

[kostamoisidis]

Hi!

I am currently experiencing the same issue. I have added "//(translation)" to each word/line in system language.

C:\Users\Administrator>WinCertes.exe -e <mail> -d <domain> -w"=C:\Program Files\Windows Small Business Server\Bin\WebApp\SBS Web Applications" -b "SBS Web Applications"
[DEBUG] PFX password will be: 8ffe95156bb74451
[DEBUG] Successfully registered account <mail> with certificate authority https://acme-v02.api.letsencrypt.org/directory
Successfully registered account <mail> with certificate authority https://acme-v02.api.letsencrypt.org/directory
[DEBUG] Please check the ACME Service ToS at: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Please check the ACME Service ToS at: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
[DEBUG] Current certificate expiration date is:
[DEBUG] Initiating HTTP Validation for <domain>
[DEBUG] Generated orders and validated challenges for domains: <domain>
Generated orders and validated challenges for domains: <domain>
[DEBUG] Retrieved certificate from the CA. The certificate is in C:\ProgramData\WinCertes\CertsTmp\7048887b-3661-4e6a-aa31-1cdfe9061329.pfx
Retrieved certificate from the CA. The certificate is in C:\ProgramData\WinCertes\CertsTmp\7048887b-3661-4e6a-aa31-1cdfe9061329.pfx
[DEBUG] Stored certificate with DN CN=<domain> into Windows Personal Local Machine store
Stored certificate with DN CN=<domain> into Windows Personal Local Machine store
[DEBUG] Could not bind certificate to site SBS Web Applications: Odkaz na objekt není nastaven na instanci objektu. //(object reference not set to an instance of an object)
System.NullReferenceException: Odkaz na objekt není nastaven na instanci objektu. //(object reference not set to an instance of an object)
   v //(in) WinCertes.Utils.<>c.<ParseSubjectAlternativeName>b__3_0(X509Extension n) v //(in) C:\Users\aau\source\repos\WinCertes\WinCertes\Utils.cs:řádek //(line) 176
   v //(in) System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   v //(in) System.Linq.Enumerable.FirstOrDefault[TSource](IEnumerable`1 source)
   v //(in) WinCertes.Utils.ParseSubjectAlternativeName(X509Certificate2 cert) v //(in) C:\Users\aau\source\repos\WinCertes\WinCertes\Utils.cs:řádek //(line) 175
   v //(in) WinCertes.Utils.BindCertificateForIISSite(X509Certificate2 certificate, String siteName) v //(in)C:\Users\aau\source\repos\WinCertes\WinCertes\Utils.cs:řádek //(line) 136

Could not bind certificate to site SBS Web Applications: Odkaz na objekt není nastaven na instanci objektu. //(object reference not set to an instance of an object)
[DEBUG] Removed files from filesystem: C:\ProgramData\WinCertes\CertsTmp\7048887b-3661-4e6a-aa31-1cdfe9061329.pfx, C:\ProgramData\WinCertes\CertsTmp\7048887b-3661-4e6a-aa31-1cdfe9061329.cer, C:\ProgramData\WinCertes\CertsTmp\7048887b-3661-4e6a-aa31-1cdfe9061329.key
Removed files from filesystem: C:\ProgramData\WinCertes\CertsTmp\7048887b-3661-4e6a-aa31-1cdfe9061329.pfx, C:\ProgramData\WinCertes\CertsTmp\7048887b-3661-4e6a-aa31-1cdfe9061329.cer, C:\ProgramData\WinCertes\CertsTmp\7048887b-3661-4e6a-aa31-1cdfe9061329.key

Unfortunately, I have not been able to set up the staging environment but that might be my wrong doing:

 Fail to load resource from 'https://acme-staging-v02.api.letsencrypt.org/acme/new-acct'.
urn:ietf:params:acme:error:accountDoesNotExist: No account exists with the provided key

and what has happened now is that, after unsuccessful bind, the certificates are still left in my system:

PS C:\Users\Administrator> dir Cert:\LocalMachine\My

    Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

Thumbprint                                Subject
----------                                -------
EA24A130A0ABDABFC90DF4EE9FEA37A60970236F  <subject>
B75A4934FC06A3A15B41C6D139FBA404FD7C4746 <subject>
A967A7C8D2192047C48CA1D075B7FB62ECB26F18  CN=webmail.fsit.cz
910D7060F1BBCF860D3C7CEB36D58E1CF699649A  CN=webmail.fsit.cz
8D00551B2776E406949811113622A20D0FF8136A  CN=webmail.fsit.cz
815414F80363A34D4C1882CC83991C936812E972  <subject>
739E072CB0F5686114C2EE1D4E7AB46FA89DAC44  CN=webmail.fsit.cz
6DE511E77C1B175C8423B9027209B7805E2F0D3C  <subject>
6BD58FBBA14F535C3657B866247BA11BD792FCDD  CN=webmail.fsit.cz
3B0A99A67E6D4C7B68C981505A4D42621A59BF30  CN=webmail.fsit.cz
351111D32D4EF8334CAC5F21CB0C90D16EBAAF3C  CN=webmail.fsit.cz

This might be as intended but as it is right now, I am on a 168 hour cooldown ban. Nothing is critical at this point thought.

Specifiactions:

• Windows Server Standard FE ( SP2 )
• IIS 6.0 ( 6002 SP2 )