search

ebekker / ACMESharp

An ACME client library and PowerShell client for the .NET platform (Let's Encrypt)
https://pkisharp.github.io/ACMESharp-docs/
1.21k stars 184 forks source link

Installing a Certificate to IIS webapplication (Windows Server 2016). #24

Open DanielBrownAU opened 9 years ago

DanielBrownAU commented 9 years ago

When running the following on Windows Server 2016 Server IT Preview 3 via PowerShell v5 x86. I am coming across this error while attempting to replace the certificate.

PS C:\Vault2> Install-ACMECertificateToIIS -Certificate cert12 -WebSite "SharePoint - www.danielbrown.id.au80" -Replace WARNING: Params: WARNING: * F72C33EFE5C23AC4C83360D3A493E0540488042D WARNING: * C:\Users\administrator.VEXTHAL\AppData\Local\Temp\2\tmp7F23.tmp WARNING: * 0 WARNING: * False WARNING: * True WARNING: * System.Collections.Hashtable WARNING: * System.Collections.Hashtable Exception calling "Invoke" with "1" argument(s): "Retrieving the COM class factory for component with CLSID {688EEEE5-6A7E-422F-B2E1-6AF00DC944A6} failed due to the following error: 80040154 Class not registered (Exception from HRESULT: 0x80040154 (REGDB_E_CLASSNOTREG))." At C:\temp\ACMEPowerShell\ACMEPowerShell-IIS\ACMEPowerShell-IIS.psm1:214 char:3

Likewise if i attempt to install a fresh certificate (and not replace the existing). PS C:\Vault2> Install-ACMECertificateToIIS -Certificate cert12 -WebSite "SharePoint - www.danielbrown.id.au80" -Port 443 WARNING: Params: WARNING: * F72C33EFE5C23AC4C83360D3A493E0540488042D WARNING: * C:\Users\administrator.VEXTHAL\AppData\Local\Temp\2\tmp8DA8.tmp WARNING: * 0 WARNING: * False WARNING: * False WARNING: * System.Collections.Hashtable WARNING: * System.Collections.Hashtable Exception calling "Invoke" with "1" argument(s): "Retrieving the COM class factory for component with CLSID {688EEEE5-6A7E-422F-B2E1-6AF00DC944A6} failed due to the following error: 80040154 Class not registered (Exception from HRESULT: 0x80040154 (REGDB_E_CLASSNOTREG))." At C:\temp\ACMEPowerShell\ACMEPowerShell-IIS\ACMEPowerShell-IIS.psm1:214 char:3

Line 214 (and then some) $invArgs = @( ,$ci.Thumbprint ,$pfxTemp ,$null ## $pfxBytes ,$SNIRequired.IsPresent ,$Replace.IsPresent ,$webBindingArgs ,$sslBinding ) $script.Invoke($invArgs)

-DB

ebekker commented 9 years ago

This issue stems from the compatibility mismatch with the bitness of the PS session and the IIS management module. Right now the PS module has to run in a 32-bit session, this is due to the dependency on the OpenSSL native library. The IIS management module in PS is only 64-bit on a 64-bit machine (don't know if it works on 32-bit machine).

I'm actually working on addressing the 32-bit issue right now indirectly by externalizing all the PKI management stuff and that will remove the 32-bit requirement, and should fix this problem too.

DanielBrownAU commented 9 years ago

Ah ok, so its a known side effect of the bitness. Thanks for the information! I look forward to the update, hoping to automate this for some sites to give it a good try.

Thanks for your efforts on this project.

-DB

ebekker commented 8 years ago

@DanielBrownAU, the code has been updated to detect and handle support for both 32-bit and 64-bit platforms. Would you be able to test this out in your configuration and confirm it's working for you now?

DanielBrownAU commented 8 years ago

Will do, tho I think I got rate limited when I gto accepted into the beta, with the other error.

Will give it a try now

DanielBrownAU commented 8 years ago

Yeah, im still getting this: (have replaced my email)

PS C:\vv5> New-ACMERegistration -Contacts mailto:SOMEONE@NOONE.COM Unexpected error Unexpected error

StatusCode : InternalServerError Headers : {Replay-Nonce, Pragma, Connection, Content-Length...} Links : {} RawContent : {123, 34, 116, 121...} ContentAsString : {"type":"urn:acme:error:serverInternal","detail":"Error creating new registration","status":500} IsError : True Error : System.Net.WebException: The remote server returned an error: (500) Internal Server Error. at System.Net.HttpWebRequest.GetResponse() at LetsEncrypt.ACME.AcmeClient.RequestHttpPost(Uri uri, Object message) in C:\Users\Administrator\ Desktop\letsencrypt-win-master\letsencrypt-win\LetsEncrypt.ACME\AcmeClient.cs:line 591 ProblemDetail : LetsEncrypt.ACME.Messages.ProblemDetailResponse

DanielBrownAU commented 8 years ago

Just gave it a try, finally got the certificate issued. (via the 'x64' Powershell)

PS C:\v1> Install-ACMECertificateToIIS -Certificate cert2 -WebSite "SharePoint - www.danielbrown.id.au80" -Replace WARNING: Params: WARNING: * 3E9D61AE56634EEE6E25F8E7A4BD8EE67B6489F2 WARNING: * C:\Users\administrator.VEXTHAL\AppData\Local\Temp\tmpCD1F.tmp WARNING: * 0 WARNING: * False WARNING: * True WARNING: * System.Collections.Hashtable WARNING: * System.Collections.Hashtable WARNING: Existing Web Binding found matching specified parameters; SKIPPING Exception calling "Invoke" with "1" argument(s): "A specified logon session does not exist. It may already have been terminated" At C:\temp\ACMEPowerShell\ACMEPowerShell-IIS\ACMEPowerShell-IIS.psm1:219 char:3

Oh so close! (Windows Server 2016 Tech Preview 3)

DanielBrownAU commented 8 years ago

follow up note: It is actually in the IIS store... just not on the web (i did have my happy hacker cert installed )

update #2... when trying to swap the cert in IIS Manager, im getting the exactly same error in a message box.. rebooting the server

DanielBrownAU commented 8 years ago

to be fair, i think it has something to do with the certificate being exportable.

Removing it from IIS and reporting it as exportable solved the issue in IIS manager

ebekker commented 8 years ago

So the COM issue you had in the original post was definitely an issue with the architecture, and it looks like that's ok now that there is explicit 32-bit/64-bit support.

The InternalServerError message shows an HTTP 500 response which means there was some error happening on the server (LetsEncrypt STAGE or BETA) and I've seen these occasionally myself, and even on the AppVeyor automated CI build, but it seems to clear itself up after a while. For example, here vs. here.

And as you indicated it looks like you retry succeeded the second time.

Now, I'm not quite sure I follow what the issue is in your last couple of comments? Are you suggesting it's an issue with the local system's store, so it's not an ACMESharp issue?

DanielBrownAU commented 8 years ago

Hey mate.

The import of the certificate worked with the scripts, but assigning it to the web application failured.

When I did a manual import, I can produce the same error.

When I ticked 'Exportable' in IIS, when I manually imported the generated certificate, it went thru with no issue.

The Install-ACMECertificateToIIS will need to import the certificate to IIS as an "exportable" certificate.

Sorry any confusion.

-DB

ebekker commented 8 years ago

Thanks for the heads up, I'll incorporate that feedback into the installer.