Renewal / Revoke

[joachimcarrein]

The certificates I got are currently 3 months valid. So I tried to find how to do renewals, but didn't find how to do this. I guess the only was is to create a new identifier with a new alias?

Same thing if I would want to revoke the certificate.

Would there be a way to increase the validity?

[ebekker]

Revokes and renewals are not implemented yet, but yes that will be included.

Validity is mostly controlled by LE at this point, they've said they plan on issuing 90-day certs and recommend everyone renews at 60 days. This is regardless of what the requested lifetime of the cert is.

I hope to have renewals in place within that time, working on some infrastructure changes now that will make adding this easier.

[joachimcarrein]

Great, Thanks for the feedback

[nbevans]

Are renewals implemented yet? Also will the challenge need to be updated on the DNS/HTTP during a renewal? Thanks

[ebekker]

No renewals yet. All verified Identifiers have an explicit expiration date when they will need to be re-Challenged and verified. I believe the verification lasts a year or so, and certs are issued for 90 days, so the first few renewals will not necessarily need to be re-verified, but eventually, yes they will need to be updated.

[hmatt843]

ebekker, I'm using Windows Server 2012 R2 and IIS. I used ACMESharp to get a LetsEncrypt certificate for my site, and it worked great, but now I need to revoke it. Is the only way to revoke it really to install Linux on the machine? What are my options? Please help.

[tschmit]

any update according renewal ? thank you for all

[oekarlsson]

I have started an implementation of support for Let's Encrypt certificates in the MSPControl control panel (http://www.mspcontrol.org) using the ACMESharp Powershell modules. It's working, but we eventually need renew for this to be complete. What is the current status of plans for renew support in the Powershell modules?

[skfd]

What is the current workaround for renewal?

[ebekker]

You can simply request a new certificate using the same DNS name as before. If your Identifer (DNS name) has been previously Challenge-approved in less than 12mos (which of course is true for everyone since the LE project is not that old yet), then you don't even have to complete the Challenge again, simply make another cert request for the same domain.

LE will happily issue multiple certs for the same domain name over and over again. Once you get the new cert, you simply replace your old one with the new one in your software (i.e. IIS or whatever you're installing it into).

[colinramsay]

This was incorrect, at least in the beta. There's a rate limit on the number of times you can do this. Either way, it doesn't solve revocation.

On 20 Apr 2016, at 21:42, Eugene Bekker notifications@github.com wrote:

You can simply request a new certificate using the same DNS name as before. If your Identifer (DNS name) has been previously Challenge-approved in less than 12mos (which of course is true for everyone since the LE project is not that old yet), then you don't even have to complete the Challenge again, simply make another cert request for the same domain.

LE will happily issue multiple certs for the same domain name over and over again. Once you get the new cert, you simply replace your old one with the new one in your software (i.e. IIS or whatever you're installing it into).

— You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub

[ebekker]

Correct, neither revocation nor renewal are handled yet.

The original rate limit allowed you to do this 5 times in a 7 day period, and if you're just trying to renew a cert that expired in the default time period, that would mean every 90 days, so that is usually not an issue, but I don't know your situation, it may be a genuine problem. Incidentally, they bumped that limit up to 20 as they exited beta.

[ghost]

Sorry - don't get me wrong - but this a pain in the ass... ACMESharp-POSH is the best and only solution for Windows 2008 with Exchange (multidomain certs). But the renewal is a pain.

And I can't use the same name when I try to do: New-ACMECertificate dns1 -Generate -AlternativeIdentifierRefs... - Alias multiNameCert

It says there is already an element with the same name.

Regards, Andreas

[Krummelz]

@ebekker I suggest that you write in big bold letters at the top of your main Readme.md, that the renewals are still a work-in-progress, and which work-arounds can be followed.

You can simply request a new certificate using the same DNS name as before...

I tried your entire Quick-Start process from step 3 onward, but I receive error messages for most of them:

New-ACMERegistration? No error. Returns the PublicKey, ReoveryKey, etc. as normal New-ACMEIdentifier? An item with the same key has already been added. Complete-ACMEChallenge? No error. Returns same as normal with status = valid Submit-ACMEChallenge? challenge has not been decoded Update-ACMEIdentifier? No error. Returns same as normal with status = valid. New-ACMECertificate? An item with the same key has already been added. Submit-ACMECertificate? asset file already exists

So I try Get-ACMECertificate, export it to Pkcs12 for IIS, replace the old certificate, and upon viewing it, the validity period is exactly the same as the old certificate.

My concern here is that we switch our systems over to full SSL, and when the various certificates expire after 90 days and everything falls over, we're out of business. In the mean time we hurry to switch SSL off again or attempt to "renew" certificates - which actually cannot be done yet.

Could you shed some light on the error messages? Can you also please be specific about the renewal process workaround and which commands one can expect to use?

[stev-0]

This is a good video, which might help to explain: https://www.youtube.com/watch?v=hXKOBKjWhV8&feature=youtu.be

[swinster]

I don't suppose there has been any further movement on renewals? I note that Win-simple has this feature but although I am using Windows (amongst other hosts), we don't actually use IIS, so need to renew the cert in the machine store.

[AHandless]

@swinster actually there is no renew method in ACME protocol. If you request a new certificate for a domain you requested certificate for before, this new certificate is considered a renewal. https://tools.ietf.org/html/draft-ietf-acme-acme-04#section-6.4.2

A certificate resource represents a single, immutable certificate. If the client wishes to obtain a renewed certificate, the client initiates a new application process to request one.

This action is subject to Duplicate Certificate limit which is 5 per week per domain. So you can create a script that just uses the New-ACMECertificate cmdlet and call it "Renew-ACMECertificate".

[ebekker]

The early versions of the ACME protocol actually did account for optional support by the CA for renewals and many moons ago, when an Identifier validation (i.e. a validated DNS name) actually lasted more than a couple of months, it was possible to perform a true renewal, but because that was not necessary to support a working ACME client, it was not initially implemented.

Just as @AHandless indicated, as the ACME spec has evolved, they actually simplified this area and eliminated the renewal support in the protocol, and likewise the actual LE CA implementation shortened the life of an Identifier validation period so that it expires after only a couple of months. Since the validation period is now shorter than the life of an issued certificate, it effectively requires that you re-validate each time you renew your certificate.

(In retrospect, it was a good thing that true renewals were not implemented as that would have been wasted work since it's no longer supported or allowed.)

Renewals are now exactly the same as new requests. You need to validate the Identifier (i.e. the DNS name) with each renewal just as the new request, and then you need to request a new certificate with the validated Identifier. There are numerous references in tickets and the wiki that point you to other folks' work that simplifies this process, either manually through video tutorials or even scripts that will automate this for you.

I do eventually plan on adding native support to the ACMESharp tools to make this process easier, but there is lots of community-provided support already there to make it usable.

[masbicudo]

I am trying to revalidate the domain as you suggested. When using CompleteChallenge, I use Force and Regenerate flags, but the challenge is the same as the previously already validated one (same key and same well-known path). Then I call SubmitChallenge, also with Force. Do I need to complete challenge again? Or just calling SubmitChallenge is enough?

[ebekker]

You need to execute Complete-Challenge again.

[mamama1]

To sum things up - you are saying, that after about 60 days, when the certificate is about to expire within the next 30 days, I have to revalidate my ACMEIdentifier to request a renewal certificate, right?

So to accomplish this, I won't do "New-ACMEIdentifier" again, because I already have one, right? I'll do 1) Complete-ACMEChallenge "myAlias" -ChallengeType whatever -Handler whatever 2) do whatever needs to be done for the challenge to be successful (dns entry or whatever) 3) Submit-ACMEChallenge "myAlias" -ChallengeType whatever 4) wait until status is valid 5) Request new Certificate using New-ACMECertificate and Submit-ACMECertificate as usual

Did I miss something or is this right now the way to go to renew certificates? I have finished automating the request of new certs using DNS challenge (my DNS offers an XML interface I can use with "Invoke-WebRequest") and now I'd like to finish automatic renewal.

thanks

[ebekker]

Read my comments above -- there is really no longer any distinct renewal* operation because of the current expiration times, so you need essentially need to start with the very beginning of the process (except for the account registration) every time, so begin with New-ACMEIdentifier. You can't issue Complete-ACMEChallenge with being presented with a set of challenges which is what New-ACMEIdentifier does.

[mamama1]

so we end up creating new identifiers with some random GUIDs appended every ~60 days? isn't this kind of crappy? is this desired by ACME or just work in progress by ACMESharp?

[JohnLBevan]

Should it help others, here's a couple of blog posts by @mcdurdin with scripts for "renewing" identifiers & certificates for a cert used by IIS:

• https://marc.durdin.net/2016/11/automating-certificate-renewal-with-lets-encrypt-and-acmesharp-on-windows/
• https://marc.durdin.net/2017/02/lets-encrypt-on-windows-redux/

[angelperezleon]

Just throwing my weight behind this too. Posted else where and think this is the best place to get answer on the issue of renewing ACMESharp generated Exchange 2016 certificates. Please advis eon a working .ps1 script we can use to re-validate an existing cert due to expire.

Currently getting:

New-ACMEIdentifier : An item with the same key has already been added.

as per my post here: https://community.letsencrypt.org/t/le-acme-exchange-ps1-exchange-2016-renewal-issues-part-2/42543 & here https://github.com/ebekker/ACMESharp/issues/294

Thanks