search

ebekker / ACMESharp

An ACME client library and PowerShell client for the .NET platform (Let's Encrypt)
https://pkisharp.github.io/ACMESharp-docs/
1.21k stars 184 forks source link

Cert failing to submit #286

Closed unlikemikeshmay closed 7 years ago

unlikemikeshmay commented 7 years ago

Hi , i got this error when i attempted to submit the generated certificate.

PS C:\Windows\system32> Submit-ACMECertificate propcert Submit-ACMECertificate : Access to the path 'C:\ProgramData\ACMESharp\sysVault\45-KEY At line:1 char:1

when i run it again i get -

PS C:\Windows\system32> Submit-ACMECertificate propcert Submit-ACMECertificate : asset file already exists At line:1 char:1

ebekker commented 7 years ago

I assume this was run against the PROD Let's Encrypt service, not their STAGING service, correct? The reason I ask is over the last couple of days, I know their STAGING service was experience some intermittent issues that resulted in returning HTTP 500 errors. I'm not sure if they have been all cleared up -- but the automated build system was running into them as well over the last couple of days while it was trying to run unit tests.

Assuming that you are not going against STAGE, the error that was originally thrown UnauthorizedAccessException indicates that you are having permission problems saving the private key to the system vault.

Did you switch users in between validating the DNS name and creating the certificate? Did you switch from an elevated (Admin) user to a non-admin user? Or possibly, did you open up a file (for example, to peek inside) in the vault directory, but didn't close it?

unlikemikeshmay commented 7 years ago

I have been running in elevated powershell the whole time. i did however open the vault directory to look but i closed it. I just restarted my computer and started elevated powershell again to retry. here is what i have. btw thank you for responding .

PS C:\Windows\system32> Update-ACMEIdentifier dns2

IdentifierPart : ACMESharp.Messages.IdentifierPart IdentifierType : dns Identifier : my.domain.com Uri : https://acme-v01.api.letsencrypt.org/acme/authz/VITeQEM2PQK9n35L7TJCa0CqKIWWjPkx8tnp4TQgg0Q Status : valid Expires : 2017-09-21 1:25:43 PM Challenges : {, , } Combinations : {0, 2, 1}

PS C:\Windows\system32> Submit-ACMECertificate propcert Submit-ACMECertificate : asset file already exists At line:1 char:1

ebekker commented 7 years ago

It seems the Vault has been wedged into some inconsistent state. Based on your first error, it looks like there was a problem creating the private key export (PEM) file, which in your case is located at C:\ProgramData\ACMESharp\sysVault\45-KEY. This could have happened if the vault was able to create this intermediate file, but didn't successfully record doing so, so it keeps trying to do it and finds the expected file already exists.

You can do one of two things, just forget about this certificate and start a new one (New-ACMECertificate) for the same DNS name. These certs are cheap :-)

Alternatively, you can try to fix this one -- I would look in this 45-KEY folder and see if you have any files in there (if this is your first and only certificate, there should be only one). Rename the file to move it out of the way, and then try again.

unlikemikeshmay commented 7 years ago

i made many new certificates . i also notice that there are no files in the 45-keypm folder .

PS C:\Windows\system32> New-ACMECertificate dns1 -Generate -Alias cert6

Id : 4bf5feca-fec1-4830-9b02-9cdfaaad41c7 Alias : cert6 Label : Memo : IdentifierRef : 49033042-aa31-4ed7-958a-dd36fedf0f77 IdentifierDns : my.domain.com AlternativeIdentifierDns : KeyPemFile : CsrPemFile : GenerateDetailsFile : 4bf5feca-fec1-4830-9b02-9cdfaaad41c7-gen.json CertificateRequest : CrtPemFile : CrtDerFile : IssuerSerialNumber : SerialNumber : Thumbprint : Signature : SignatureAlgorithm :

PS C:\Windows\system32> Submit-ACMECertificate cert6 Submit-ACMECertificate : Access to the path 'C:\ProgramData\ACMESharp\sysVault\45-KEYPM\4bf5feca-fec1-4830-9b02-9cdfaaad41c7-key.pem' is denied. At line:1 char:1

ebekker commented 7 years ago

That's very puzzling. This part of the error message Access to the path 'C:\ProgramData\ACMESharp\sysVault\45-KEYPM\4bf5feca-fec1-4830-9b02-9cdfaaad41c7-key.pem' is denied seems to indicate some access problem with that path.

Can you see if you can manually create files in that path:

ebekker commented 7 years ago

I believe you already confirmed that the folder already exists, it's just empty, correct?

unlikemikeshmay commented 7 years ago

yeah its just empty , the files dont exist . and system files and hidden items are visible i was able to create those two files with PS> echo "foo" > 'C:\ProgramData\ACMESharp\sysVault\45-KEYPM\foo.txt' PS> echo "foo" > 'C:\ProgramData\ACMESharp\sysVault\45-KEYPM\4bf5feca-fec1-4830-9b02-9cdfaaad41c7-key.pem' so its not a folder permission issue

ebekker commented 7 years ago

That's weird, I think the real issue is being masked. Let's see if the error actually holds the real culprit. Can you reproduce the error again, and then immediately after, run this block of PS:

& {
 $ex = $Error[0].Exception
 while ($ex) {
   "EX: $($ex.Message)"
   "    $($ex.StackTrace)"
   $ex = $ex.InnerException
 }
 }

It will produce a lot of verbose output, but you can paste it in verbatim or dump it to a file and drag-n-drop it to this issue to attach the file. Thanks!

unlikemikeshmay commented 7 years ago

nothing seems to have changed PS C:\Windows\system32> & {

$ex = $Error[0].Exception while ($ex) { "EX: $($ex.Message)" " $($ex.StackTrace)" $ex = $ex.InnerException } } EX: Access to the path 'C:\ProgramD at System.IO.__Error.WinIOEr at System.IO.FileStream.Init(Str t) at System.IO.FileStream..ctor(St at System.IO.File.Create(String at ACMESharp.Vault.Providers.Loc at ACMESharp.POSH.SubmitCertific at System.Management.Automation. PS C:\Windows\system32>

unlikemikeshmay commented 7 years ago

PS C:\Windows\system32> & {

$ex = $Error[0].Exception while ($ex) { "EX: $($ex.Message)" " $($ex.StackTrace)" $ex = $ex.InnerException } } EX: Access to the path 'C:\ProgramData\ACMESharp\sysVault\45-KEYPM\ec36d562-51a2-4d5f-9fff-f8c0cb952a89-key.pem' is denied. at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHos t) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options) at System.IO.File.Create(String path, Int32 bufferSize, FileOptions options) at ACMESharp.Vault.Providers.LocalDiskVault.CreateAsset(VaultAssetType type, String name, Boolean isSensitive, Boolean getOrCreate) in C:\projects\acmesharp\ACMESharp\ACMESharp.Vault\Providers\LocalDiskVault.cs:line 250 at ACMESharp.POSH.SubmitCertificate.ProcessRecord() in C:\projects\acmesharp\ACMESharp\ACMESharp.POSH\SubmitCertificate.cs:line 109 at System.Management.Automation.CommandProcessor.ProcessRecord() PS C:\Windows\system32>

ebekker commented 7 years ago

Is this on Windows 10? Is it Home edition?

Try this test and see if you get the same error:

$x = [System.IO.File]::Create('C:\ProgramData\ACMESharp\sysVault\45-KEYPM\foo.enc, 100, "Encrypted")
$x.WriteByte(65)
$x.Close()
ebekker commented 7 years ago

I suspect this is the issue.

GrzegorzUt commented 7 years ago

Hi

Identical error on "Windows 2012 R2"

PS C:\Windows\system32> $x = [System.IO.File]::Create('C:\ProgramData\ACMESharp\sysVault\45-KEYPM\foo.enc', 100, "Encrypted") Exception calling "Create" with "3" argument(s): "Access to the path 'C:\ProgramData\ACMESharp\sysVault\45-KEYPM\foo.enc' is denied." At line:1 char:1

Result from powershell ( elevated mode )

$x = [System.IO.File]::Create('C:\ProgramData\ACMESharp\sysVault\45-KEYPM\foo.enc', 00, "Encrypted") $x.WriteByte(65) $x.Close()

Regards

EagleIJoe commented 7 years ago

I am getting this issue as well. Any more insights needed to debug and solve this?

GrzegorzUt commented 7 years ago

Hi

I solved this problem temporary by creating CustomVault in C:\CertificateVault folder

extract from code

$CustomVaultName = "yourVaultName"

$CustomVaultRootPath = "C:\CertificateVault" $vaultPath = Join-Path -Path $CustomVaultRootPath -ChildPath $CustomVaultName

$VaultParam = @{RootPath = $vaultPath.ToLower(); CreatePath = $true; BypassEFS = $true }

Set-ACMEVaultProfile -ProfileName $CustomVaultName -Provider local -VaultParameters $VaultParam -Force

Initialize-ACMEVault -VaultProfile $CustomVaultName -Force

# Initialize-ACMEVault
New-ACMERegistration -Contacts mailto:$my_email -AcceptTos -VaultProfile $CustomVaultName

and then add -VaultProfile $CustomVaultName to all next used ACME functions

like

Submit-ACMECertificate -CertificateRef $SANcert_alias -VaultProfile $CustomVaultName

New-ACMEIdentifier -VaultProfile $CustomVaultName -Dns $FQDN -Alias $FQDN

Regards

ebekker commented 7 years ago

Cool -- yeah, I think that will solve everyone's problem, whether the root cause is that you're using a version of Windows that doesn't support EFS, or you require elevated privileges due to GPO policy or whatever, you can bypass the EFS altogether, as described here.

I'm going to close this out now, if anyone finds this is not the solution or root cause of their problem, you can reopen and provide more details.

martin-cdx commented 6 years ago

In case it helps anyone else, i was getting this error even though I'm on Windows 10 Pro. If you are on a domain pc then check your default group policy and look for:

Computer Conifg > Windows Settings > Security Settings > Public Key Policies > Encrypting File System

If there is an expired certificate listed there you can just right click > create data recovery agent and select an admin account. A new certificate should be created and you can run gpupdate on your pc and re-run the 'Submit-ACMECertificate' with a new alias. Worked for me anyway.