Open nmelay opened 2 years ago
Hello,
Could you please upload the suspicious certificate? Maybe simply copy-paste it as PEM (Base64 encoded) The error is in Linq, meaning i should probably add extra controls, but it's hard to understand what makes Linq choke without having the cert.
Hello Alexandre,
Sure, here it is.
-----BEGIN CERTIFICATE-----
MIIFZzCCBE+gAwIBAgITKwAABQ7YxZw51ggzSwABAAAFDjANBgkqhkiG9w0BAQsF
ADBRMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFgltYW5o
YXR0YW4xHTAbBgNVBAMTFG1hbmhhdHRhbi1hcmttZW5hLWNhMB4XDTIyMDExMjIx
NTE1NFoXDTIzMDExMjIxNTE1NFowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAM13QWB3Fkyy/1/oF6nBRj08vXq49UVBGIur/qz0RpkmpxoNblarGcUa
AJZ1wh6CxzjLHY9g64dyxrCrC1E6IA9qjQr36IbhDuQJp+0chTFeKW6y74eOovtQ
hz60dHPvRTLTzT1cn1JlpqpIZoGaFp6UOINRiNSoU5CC2W1NoJte6e+82PzGC0ZK
h5ak85uf0cKaXCVMTeGLx2qFWPX5vxsRSNorYhE/0jGUBJcq8UMpfr23JNywaefr
TY2Bt0i4MbKi6MJym0cN/kP4XfmfcBm1h1s5vdcEIeSN1sq4ziy4tkAhsPDqFUbi
kZz1E9IvUUa+GIMlBBgx52JyWveIBJMCAwEAAaOCAocwggKDMDgGCSsGAQQBgjcV
BwQrMCkGISsGAQQBgjcVCIG/iVmD8rQzg5WHMoWXtCeF/bkKgUIBHgIBZQIBAzAT
BgNVHSUEDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwGwYJKwYBBAGCNxUK
BA4wDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQUDzSzwf/AvPEUrkgGCrFvJcZVy48w
HwYDVR0jBBgwFoAU7+hJ/RoM33ctbmxRaOU6TLxQ9qAwgdQGA1UdHwSBzDCByTCB
xqCBw6CBwIaBvWxkYXA6Ly8vQ049bWFuaGF0dGFuLWFya21lbmEtY2EsQ049VEFL
RUwsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2Vz
LENOPUNvbmZpZ3VyYXRpb24sREM9bWFuaGF0dGFuLERDPWxvY2FsP2NlcnRpZmlj
YXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRp
b25Qb2ludDCBygYIKwYBBQUHAQEEgb0wgbowgbcGCCsGAQUFBzAChoGqbGRhcDov
Ly9DTj1tYW5oYXR0YW4tYXJrbWVuYS1jYSxDTj1BSUEsQ049UHVibGljJTIwS2V5
JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1tYW5o
YXR0YW4sREM9bG9jYWw/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNl
cnRpZmljYXRpb25BdXRob3JpdHkwIQYDVR0RAQH/BBcwFYITT01VLm1hbmhhdHRh
bi5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAQEAn8lkhXRY1CYt51R22u549tcZT8EG
GSlkhk8F/B0k4XxuinR+9M6ebRSjF1kvmFSe8kGvMzmOCkCd53XhekumOOoMV0YP
Rk2M84G1YJU0ms6NDbHCTD9ZFoh0oytfe5seurg1N8A97tNYBUBlsFlbZVUg3cZT
aZdt2oxBjkJy9JyiW2G9gQ78UnUrN0KVLdHWm1O2p3YjFBTZNTPmmhEIlmOfx1Or
LR7HDZcAJMxijQ7ntBhi2dXfSf3nTbinnxt+T4qZT/iOQzhZeavPGqvbm20OZtdw
aTQ/j0Rw53Ax1oj6uHSP9aK18QTIlR5kzMiAQ0eEw9NEbglE6Y5smpJdug==
-----END CERTIFICATE-----
Hi!
I am currently experiencing the same issue. I have added "//(translation)
" to each word/line in system language.
C:\Users\Administrator>WinCertes.exe -e <mail> -d <domain> -w"=C:\Program Files\Windows Small Business Server\Bin\WebApp\SBS Web Applications" -b "SBS Web Applications"
[DEBUG] PFX password will be: 8ffe95156bb74451
[DEBUG] Successfully registered account <mail> with certificate authority https://acme-v02.api.letsencrypt.org/directory
Successfully registered account <mail> with certificate authority https://acme-v02.api.letsencrypt.org/directory
[DEBUG] Please check the ACME Service ToS at: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Please check the ACME Service ToS at: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
[DEBUG] Current certificate expiration date is:
[DEBUG] Initiating HTTP Validation for <domain>
[DEBUG] Generated orders and validated challenges for domains: <domain>
Generated orders and validated challenges for domains: <domain>
[DEBUG] Retrieved certificate from the CA. The certificate is in C:\ProgramData\WinCertes\CertsTmp\7048887b-3661-4e6a-aa31-1cdfe9061329.pfx
Retrieved certificate from the CA. The certificate is in C:\ProgramData\WinCertes\CertsTmp\7048887b-3661-4e6a-aa31-1cdfe9061329.pfx
[DEBUG] Stored certificate with DN CN=<domain> into Windows Personal Local Machine store
Stored certificate with DN CN=<domain> into Windows Personal Local Machine store
[DEBUG] Could not bind certificate to site SBS Web Applications: Odkaz na objekt není nastaven na instanci objektu. //(object reference not set to an instance of an object)
System.NullReferenceException: Odkaz na objekt není nastaven na instanci objektu. //(object reference not set to an instance of an object)
v //(in) WinCertes.Utils.<>c.<ParseSubjectAlternativeName>b__3_0(X509Extension n) v //(in) C:\Users\aau\source\repos\WinCertes\WinCertes\Utils.cs:řádek //(line) 176
v //(in) System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
v //(in) System.Linq.Enumerable.FirstOrDefault[TSource](IEnumerable`1 source)
v //(in) WinCertes.Utils.ParseSubjectAlternativeName(X509Certificate2 cert) v //(in) C:\Users\aau\source\repos\WinCertes\WinCertes\Utils.cs:řádek //(line) 175
v //(in) WinCertes.Utils.BindCertificateForIISSite(X509Certificate2 certificate, String siteName) v //(in)C:\Users\aau\source\repos\WinCertes\WinCertes\Utils.cs:řádek //(line) 136
Could not bind certificate to site SBS Web Applications: Odkaz na objekt není nastaven na instanci objektu. //(object reference not set to an instance of an object)
[DEBUG] Removed files from filesystem: C:\ProgramData\WinCertes\CertsTmp\7048887b-3661-4e6a-aa31-1cdfe9061329.pfx, C:\ProgramData\WinCertes\CertsTmp\7048887b-3661-4e6a-aa31-1cdfe9061329.cer, C:\ProgramData\WinCertes\CertsTmp\7048887b-3661-4e6a-aa31-1cdfe9061329.key
Removed files from filesystem: C:\ProgramData\WinCertes\CertsTmp\7048887b-3661-4e6a-aa31-1cdfe9061329.pfx, C:\ProgramData\WinCertes\CertsTmp\7048887b-3661-4e6a-aa31-1cdfe9061329.cer, C:\ProgramData\WinCertes\CertsTmp\7048887b-3661-4e6a-aa31-1cdfe9061329.key
Unfortunately, I have not been able to set up the staging environment but that might be my wrong doing:
Fail to load resource from 'https://acme-staging-v02.api.letsencrypt.org/acme/new-acct'.
urn:ietf:params:acme:error:accountDoesNotExist: No account exists with the provided key
and what has happened now is that, after unsuccessful bind, the certificates are still left in my system:
PS C:\Users\Administrator> dir Cert:\LocalMachine\My
Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
Thumbprint Subject
---------- -------
EA24A130A0ABDABFC90DF4EE9FEA37A60970236F <subject>
B75A4934FC06A3A15B41C6D139FBA404FD7C4746 <subject>
A967A7C8D2192047C48CA1D075B7FB62ECB26F18 CN=webmail.fsit.cz
910D7060F1BBCF860D3C7CEB36D58E1CF699649A CN=webmail.fsit.cz
8D00551B2776E406949811113622A20D0FF8136A CN=webmail.fsit.cz
815414F80363A34D4C1882CC83991C936812E972 <subject>
739E072CB0F5686114C2EE1D4E7AB46FA89DAC44 CN=webmail.fsit.cz
6DE511E77C1B175C8423B9027209B7805E2F0D3C <subject>
6BD58FBBA14F535C3657B866247BA11BD792FCDD CN=webmail.fsit.cz
3B0A99A67E6D4C7B68C981505A4D42621A59BF30 CN=webmail.fsit.cz
351111D32D4EF8334CAC5F21CB0C90D16EBAAF3C CN=webmail.fsit.cz
This might be as intended but as it is right now, I am on a 168 hour cooldown ban. Nothing is critical at this point thought.
Specifiactions:
Describe the bug WinCertes 1.4.3 correctly obtains a new certificate from LE, and puts it in the certificate store, but fails to bind it to the website. This seems to be caused by the presence of a specific certificate in the LM store, with empty Subject and SAN fields.
To Reproduce Steps to reproduce the behavior:
wincertes -e <email> -d <fqdn> -b <iiswebsite> -a -p
Expected behavior LE certificate should end up being bound to the IIS website whatever other certificates are present in the certificate store.
Screenshots or Logs Console
Log file
Desktop:
Additional context SAN-less certificate is a machine certificate, somehow automatically generated and renewed by AD CS in this environment.