Closed unlikemikeshmay closed 7 years ago
I assume this was run against the PROD Let's Encrypt service, not their STAGING service, correct? The reason I ask is over the last couple of days, I know their STAGING service was experience some intermittent issues that resulted in returning HTTP 500 errors. I'm not sure if they have been all cleared up -- but the automated build system was running into them as well over the last couple of days while it was trying to run unit tests.
Assuming that you are not going against STAGE, the error that was originally thrown UnauthorizedAccessException indicates that you are having permission problems saving the private key to the system vault.
Did you switch users in between validating the DNS name and creating the certificate? Did you switch from an elevated (Admin) user to a non-admin user? Or possibly, did you open up a file (for example, to peek inside) in the vault directory, but didn't close it?
I have been running in elevated powershell the whole time. i did however open the vault directory to look but i closed it. I just restarted my computer and started elevated powershell again to retry. here is what i have. btw thank you for responding .
PS C:\Windows\system32> Update-ACMEIdentifier dns2
IdentifierPart : ACMESharp.Messages.IdentifierPart IdentifierType : dns Identifier : my.domain.com Uri : https://acme-v01.api.letsencrypt.org/acme/authz/VITeQEM2PQK9n35L7TJCa0CqKIWWjPkx8tnp4TQgg0Q Status : valid Expires : 2017-09-21 1:25:43 PM Challenges : {, , } Combinations : {0, 2, 1}
PS C:\Windows\system32> Submit-ACMECertificate propcert Submit-ACMECertificate : asset file already exists At line:1 char:1
+ CategoryInfo : NotSpecified: (:) [Submit-ACMECertificate], IOException
+ FullyQualifiedErrorId : System.IO.IOException,ACMESharp.POSH.SubmitCertificate
It seems the Vault has been wedged into some inconsistent state. Based on your first error, it looks like there was a problem creating the private key export (PEM) file, which in your case is located at C:\ProgramData\ACMESharp\sysVault\45-KEY
. This could have happened if the vault was able to create this intermediate file, but didn't successfully record doing so, so it keeps trying to do it and finds the expected file already exists.
You can do one of two things, just forget about this certificate and start a new one (New-ACMECertificate
) for the same DNS name. These certs are cheap :-)
Alternatively, you can try to fix this one -- I would look in this 45-KEY
folder and see if you have any files in there (if this is your first and only certificate, there should be only one). Rename the file to move it out of the way, and then try again.
i made many new certificates . i also notice that there are no files in the 45-keypm folder .
PS C:\Windows\system32> New-ACMECertificate dns1 -Generate -Alias cert6
Id : 4bf5feca-fec1-4830-9b02-9cdfaaad41c7 Alias : cert6 Label : Memo : IdentifierRef : 49033042-aa31-4ed7-958a-dd36fedf0f77 IdentifierDns : my.domain.com AlternativeIdentifierDns : KeyPemFile : CsrPemFile : GenerateDetailsFile : 4bf5feca-fec1-4830-9b02-9cdfaaad41c7-gen.json CertificateRequest : CrtPemFile : CrtDerFile : IssuerSerialNumber : SerialNumber : Thumbprint : Signature : SignatureAlgorithm :
PS C:\Windows\system32> Submit-ACMECertificate cert6 Submit-ACMECertificate : Access to the path 'C:\ProgramData\ACMESharp\sysVault\45-KEYPM\4bf5feca-fec1-4830-9b02-9cdfaaad41c7-key.pem' is denied. At line:1 char:1
+ CategoryInfo : NotSpecified: (:) [Submit-ACMECertificate], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,ACMESharp.POSH.SubmitCertificate
That's very puzzling. This part of the error message Access to the path 'C:\ProgramData\ACMESharp\sysVault\45-KEYPM\4bf5feca-fec1-4830-9b02-9cdfaaad41c7-key.pem' is denied
seems to indicate some access problem with that path.
Can you see if you can manually create files in that path:
PS> echo "foo" > 'C:\ProgramData\ACMESharp\sysVault\45-KEYPM\foo.txt'
PS> echo "foo" > 'C:\ProgramData\ACMESharp\sysVault\45-KEYPM\4bf5feca-fec1-4830-9b02-9cdfaaad41c7-key.pem'
I believe you already confirmed that the folder already exists, it's just empty, correct?
yeah its just empty , the files dont exist . and system files and hidden items are visible i was able to create those two files with PS> echo "foo" > 'C:\ProgramData\ACMESharp\sysVault\45-KEYPM\foo.txt' PS> echo "foo" > 'C:\ProgramData\ACMESharp\sysVault\45-KEYPM\4bf5feca-fec1-4830-9b02-9cdfaaad41c7-key.pem' so its not a folder permission issue
That's weird, I think the real issue is being masked. Let's see if the error actually holds the real culprit. Can you reproduce the error again, and then immediately after, run this block of PS:
& {
$ex = $Error[0].Exception
while ($ex) {
"EX: $($ex.Message)"
" $($ex.StackTrace)"
$ex = $ex.InnerException
}
}
It will produce a lot of verbose output, but you can paste it in verbatim or dump it to a file and drag-n-drop it to this issue to attach the file. Thanks!
nothing seems to have changed PS C:\Windows\system32> & {
$ex = $Error[0].Exception while ($ex) { "EX: $($ex.Message)" " $($ex.StackTrace)" $ex = $ex.InnerException } } EX: Access to the path 'C:\ProgramD at System.IO.__Error.WinIOEr at System.IO.FileStream.Init(Str t) at System.IO.FileStream..ctor(St at System.IO.File.Create(String at ACMESharp.Vault.Providers.Loc at ACMESharp.POSH.SubmitCertific at System.Management.Automation. PS C:\Windows\system32>
PS C:\Windows\system32> & {
$ex = $Error[0].Exception while ($ex) { "EX: $($ex.Message)" " $($ex.StackTrace)" $ex = $ex.InnerException } } EX: Access to the path 'C:\ProgramData\ACMESharp\sysVault\45-KEYPM\ec36d562-51a2-4d5f-9fff-f8c0cb952a89-key.pem' is denied. at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHos t) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options) at System.IO.File.Create(String path, Int32 bufferSize, FileOptions options) at ACMESharp.Vault.Providers.LocalDiskVault.CreateAsset(VaultAssetType type, String name, Boolean isSensitive, Boolean getOrCreate) in C:\projects\acmesharp\ACMESharp\ACMESharp.Vault\Providers\LocalDiskVault.cs:line 250 at ACMESharp.POSH.SubmitCertificate.ProcessRecord() in C:\projects\acmesharp\ACMESharp\ACMESharp.POSH\SubmitCertificate.cs:line 109 at System.Management.Automation.CommandProcessor.ProcessRecord() PS C:\Windows\system32>
Is this on Windows 10? Is it Home edition?
Try this test and see if you get the same error:
$x = [System.IO.File]::Create('C:\ProgramData\ACMESharp\sysVault\45-KEYPM\foo.enc, 100, "Encrypted")
$x.WriteByte(65)
$x.Close()
Hi
Identical error on "Windows 2012 R2"
PS C:\Windows\system32> $x = [System.IO.File]::Create('C:\ProgramData\ACMESharp\sysVault\45-KEYPM\foo.enc', 100, "Encrypted") Exception calling "Create" with "3" argument(s): "Access to the path 'C:\ProgramData\ACMESharp\sysVault\45-KEYPM\foo.enc' is denied." At line:1 char:1
Result from powershell ( elevated mode )
$x = [System.IO.File]::Create('C:\ProgramData\ACMESharp\sysVault\45-KEYPM\foo.enc', 00, "Encrypted") $x.WriteByte(65) $x.Close()
Regards
I am getting this issue as well. Any more insights needed to debug and solve this?
Hi
I solved this problem temporary by creating CustomVault in C:\CertificateVault folder
extract from code
$CustomVaultName = "yourVaultName"
$CustomVaultRootPath = "C:\CertificateVault" $vaultPath = Join-Path -Path $CustomVaultRootPath -ChildPath $CustomVaultName
$VaultParam = @{RootPath = $vaultPath.ToLower(); CreatePath = $true; BypassEFS = $true }
Set-ACMEVaultProfile -ProfileName $CustomVaultName -Provider local -VaultParameters $VaultParam -Force
Initialize-ACMEVault -VaultProfile $CustomVaultName -Force
# Initialize-ACMEVault
New-ACMERegistration -Contacts mailto:$my_email -AcceptTos -VaultProfile $CustomVaultName
and then add -VaultProfile $CustomVaultName to all next used ACME functions
like
Submit-ACMECertificate -CertificateRef $SANcert_alias -VaultProfile $CustomVaultName
New-ACMEIdentifier -VaultProfile $CustomVaultName -Dns $FQDN -Alias $FQDN
Regards
Cool -- yeah, I think that will solve everyone's problem, whether the root cause is that you're using a version of Windows that doesn't support EFS, or you require elevated privileges due to GPO policy or whatever, you can bypass the EFS altogether, as described here.
I'm going to close this out now, if anyone finds this is not the solution or root cause of their problem, you can reopen and provide more details.
In case it helps anyone else, i was getting this error even though I'm on Windows 10 Pro. If you are on a domain pc then check your default group policy and look for:
Computer Conifg > Windows Settings > Security Settings > Public Key Policies > Encrypting File System
If there is an expired certificate listed there you can just right click > create data recovery agent and select an admin account. A new certificate should be created and you can run gpupdate on your pc and re-run the 'Submit-ACMECertificate' with a new alias. Worked for me anyway.
Hi , i got this error when i attempted to submit the generated certificate.
PS C:\Windows\system32> Submit-ACMECertificate propcert Submit-ACMECertificate : Access to the path 'C:\ProgramData\ACMESharp\sysVault\45-KEY At line:1 char:1
when i run it again i get -
PS C:\Windows\system32> Submit-ACMECertificate propcert Submit-ACMECertificate : asset file already exists At line:1 char:1