search

ebekker / ACMESharp

An ACME client library and PowerShell client for the .NET platform (Let's Encrypt)
https://pkisharp.github.io/ACMESharp-docs/
1.21k stars 184 forks source link

Submit-ACMECertificate : Access to the path is denied. #334

Closed alexhass closed 4 years ago

alexhass commented 6 years ago

I think I made everything correct, but nothing works. I'm Admiinistrator... no way that there is access denied.

> New-ACMECertificate -IdentifierRef 'www.example.com1' -Generate -Alias 'SAN1_www.example.com'

Id                       : [my id]
Alias                    : SAN1_www.example.com
Label                    :
Memo                     :
IdentifierRef            : [my ref]
IdentifierDns            : www.example.com
AlternativeIdentifierDns :
KeyPemFile               :
CsrPemFile               :
GenerateDetailsFile      : [myref]-gen.json
CertificateRequest       :
CrtPemFile               :
CrtDerFile               :
IssuerSerialNumber       :
SerialNumber             :
Thumbprint               :
Signature                :
SignatureAlgorithm       :
RevokedAt                :

> Submit-ACMECertificate 'SAN1_www.example.com'
Submit-ACMECertificate : Access to the path
'C:\ProgramData\ACMESharp\sysVault\45-KEYPM\[myref]-key.pem' is denied.
At line:1 char:1
+ Submit-ACMECertificate 'SAN1_www.example.com'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Submit-ACMECertificate], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,ACMESharp.POSH.SubmitCertificate

> Submit-ACMECertificate 'SAN1_www.example.com'
Submit-ACMECertificate : asset file already exists
At line:1 char:1
+ Submit-ACMECertificate 'SAN1_www.example.com'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Submit-ACMECertificate], IOException
    + FullyQualifiedErrorId : System.IO.IOException,ACMESharp.POSH.SubmitCertificate
alexhass commented 6 years ago

Let me note there is NO pem file on disk what may cause the misleading error message.

dwc035 commented 6 years ago

same problem here ... makes it difficult to get cert if it's not being created in the vault :(

edwardforgacs commented 6 years ago

Been having this issue for months but only on some machines, it seems the only workaround is to manually create the file.

dwc035 commented 6 years ago

ummm ok - how do you manually create the file?

edwardforgacs commented 6 years ago

Create a blank text file in the location. Further to the above I suspect the issue is EFS as documented here - but I am not aware of it being disabled on the domain.

Creating a vault profile as described here with EFS off also works, but only with the latest version of ACMESharp. https://pkisharp.github.io/ACMESharp-docs/Local-Vault-EFS.html

regexaurus commented 6 years ago

Same problem here, with ACMESharp 0.9.1.326:

Submit-ACMECertificate -CertificateRef =9efg2a94-3k1h-8i62-3y0d-13lu2582p1e2 Submit-ACMECertificate : Access to the path 'C:\ProgramData\ACMESharp\sysVault\45-KEYPM\9efg2a94-3k1h-8i62-3y0d-13lu2582p1e2-key.pem' is denied.

And if I manually create the file and reattempt submitting the certificate:

New-Item 'C:\ProgramData\ACMESharp\sysVault\45-KEYPM\9efg2a94-3k1h-8i62-3y0d-13lu2582p1e2-key.pem' -ItemType File

Directory: C:\ProgramData\ACMESharp\sysVault\45-KEYPM

Mode        LastWriteTime       Length      Name
----        -----------------   ------      ----
-a----      7/3/2018 6:42 PM    0       9efg2a94-3k1h-8i62-3y0d-13lu2582p1e2-key.pem

Submit-ACMECertificate -CertificateRef =9efg2a94-3k1h-8i62-3y0d-13lu2582p1e2 Submit-ACMECertificate : asset file already exists

Never mind, I got it working. At first, I misunderstood the earlier comments regarding EFS to indicate that a system with EFS enabled is symptomatic of the problem, when instead, EFS needs to be functioning for Submit-ACMECertificate to work correctly.

boojew commented 6 years ago

Same issue - for me, EFS is enabled on all test machines and I still see this

chaami commented 5 years ago

Hi, As an alternative, you can create the file and then submit with the force flag... In your case the following should work

New-Item 'C:\ProgramData\ACMESharp\sysVault\45-KEYPM\9efg2a94-3k1h-8i62-3y0d-13lu2582p1e2-key.pem' -ItemType File
Submit-ACMECertificate -CertificateRef =9efg2a94-3k1h-8i62-3y0d-13lu2582p1e2 -Force

Kind regards.

BRT917 commented 4 years ago

I'm receiving the same error on a server 2012 R2 system. "Submit-ACMECertificate : Access to the path 'C:\ProgramData\ACMESharp\sysVault\45-KEYPM\2d814b3a-6971-496b-966c-620db86c241a-key.pem' is denied."

No files are located in 'C:\ProgramData\ACMESharp\sysVault\45-KEYPM'. I am running in an admin powershell window and can create edit and read fails from the window in that path The JSONs are in C:\ProgramData\ACMESharp\sysVault\40-KEYGN as expected

BRT917 commented 4 years ago

Here's a bit of a more automated approach on @chaami 's comment. 

$date = get-date -format yyyyMMddHHmmss
$alias = $cn + $date
New-ACMEIdentifier -Dns $cn -Alias $alias

then 

$pempart = Get-ACMEIdentifier |where-object {$_.alias -match $date}|select-object ID
$pem = "C:\ProgramData\ACMESharp\sysVault\45-KEYPM\"+ $pempart.ID + "-key.pem"
new-item -path $pem -ItemType file

It doesn't have to be the date, but adding some type of unique identifier to the alias allows you to to grab that ID and automate the creation of the file