search

glatzert / ACME-Server-ADCS

ACME (RFC 8555) Server compatible implementation, connecting to Active Directory Certificate Services (ADCS)
Other
99 stars 15 forks source link

Set up to ACME-Server-ACDS #1

Closed kamelbenmoussa closed 4 months ago

kamelbenmoussa commented 3 years ago

Hello,

I want to set up Server ACDS for ACME for my server Windows 2019 but, i did not understand how to set it up with the instructions on the forum.

Do you have any documentation, or installation instruction that can help me ? Thank you

Best regards, Kamel

georg-x commented 2 years ago

Hello,

I also think the installation instructions could be dramatically improved. Do you think ACDSIssuer is a typo, I guess it should be ADCSIssuer instead...

Kind Regards, Georg

glatzert commented 2 years ago

Essentially the installation instructions are not written, yet. I do not have the time to push this currently, nevertheless, I've been working with @kamelbenmoussa to get it up and write down the process to get there. Also the software might not run with all clients, yet (it should do with certbot).

Please be aware that the current licence is CC BY-NC-ND, which means NO usage in commercial settings and NO changes to code in forks. The final license will probably be RPL + a commercial license (dual licensed).

unsureman commented 1 year ago

Hello,

tried to setup this on a Win 2016 and have a question for the IIS preparation. Do you mean with Modify IIS-AppPool to set the DefaultAppPool values (.NET CLR Version = No Managed Code) and (Identity = NetworkService)?

My certbot stucks in requesting a certificate for my domain.

glatzert commented 1 year ago

You can set the default AppPool values of your server, if you like, but I don't know, if existing AppPools will inherit that. Nevertheless your AppPool, that runs the ACME server, does not need managed code (.net core is loaded via a module) and does need an Identity, that can access the network and the ACDS server with an identity, so IISAppPoolUser will probably not work. NetworkService will identify itself as the machine account of the server.

A certbot that is stuck is somewhat difficult to debug, since it should either fail or succeed. It should write some logs, if it failes with anything.

nwlterry commented 1 year ago

Hello,

I've try to setup server on both Win 2016 and 2019 server by following the guide, but I got HTTP 500.19 with below detail.

Detailed Error Information: Module IIS Web Core Notification Unknown Handler Not yet determined Error Code 0x8007000d Config Error
Config File \?\C:\inetpub\wwwroot\web.config Requested URL http://localhost:80/ Physical Path
Logon Method Not yet determined Logon User Not yet determined

Config Source: -1: 0:

glatzert commented 1 year ago

That might indicate something is missing during installation

Check 1) Open the configuration editor (most times lower left icon) in IIS Managment Console, while having the application selected - this might show you a more specific error 2) ASP.net core hosting bundle for IIS is installed properly - (check cmd> dotnet --info)

nwlterry commented 1 year ago

Hello,

When I opened the configuration editor the error "The data is invalid. (Exception from HRESULT: 0x8007000D)" pop-up.

And below is the ASP.net info output: .NET SDK (reflecting any global.json): Version: 6.0.408 Commit: 0c3669d367

Runtime Environment: OS Name: Windows OS Version: 10.0.14393 OS Platform: Windows RID: win10-x64 Base Path: C:\Program Files\dotnet\sdk\6.0.408\

global.json file: Not found

Host: Version: 6.0.16 Architecture: x64 Commit: 1e620a42e7

.NET SDKs installed: 6.0.408 [C:\Program Files\dotnet\sdk]

.NET runtimes installed: Microsoft.AspNetCore.App 6.0.16 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.NETCore.App 6.0.16 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.WindowsDesktop.App 6.0.16 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

Download .NET: https://aka.ms/dotnet-download

Learn about .NET Runtimes and SDKs: https://aka.ms/dotnet/runtimes-sdk-info

glatzert commented 1 year ago

Install the LTS Version of .NET. You'll need the hosting bundle from the .NET Runtime section.

I'm not 100% sure, if the SDK installs the hosting bundle in the way IIS expects it (the cmd output tells you installed the SDK).

nwlterry commented 1 year ago

Install the LTS Version of .NET. You'll need the hosting bundle from the .NET Runtime section.

I'm not 100% sure, if the SDK installs the hosting bundle in the way IIS expects it (the cmd output tells you installed the SDK).

Thanks, I just installed the hosting bundle and it's normal now.

{"newNonce":"http://localhost/new-nonce","newAccount":"http://localhost/new-account","newOrder":"http://localhost/new-order","meta":{"externalAccountRequired":false}}

hoa2023 commented 1 year ago

Thank you. I read over your notes here. This is how I set up with Windows IIS. 1) Install dotnet framework v6 and webhost v6 - dotnet-hosting-6.0.23 2) Application Pools (.Net CLR Version: No Managed Code, Identity: Domain Account - whichever allows to issue certificate) 3)Restart the webserver 4) Browse it: you should see "{"newNonce":"http://localhost/new-nonce","newAccount":"http://localhost/new-account","newOrder":"http://localhost/new-order","meta":{"externalAccountRequired":false}}"

My Linux: I installed Debian Apache, Certbot and all dependencies (make sure the website setup and works before you try to request a certificate from your CA) and this is the command I use certbot --server http://server.local and it works perfect.

Thank you again.