Exception has been raised during certificate issuance.

[Seyfle]

Hello,

After I install and configure ACME-Server-ADCS I get this error in the logs and I don't know where does that come from.... Can someone have this error and help resolve it ?

Thanks by advance !

[glatzert]

First you can take a look into the Event log of the web server - it might contain further information. Second you should take a look into the adcs server event and security logs - it'll tell you why it won't issue certificates.

[Seyfle]

Thanks for your reply bu I have nothing in my Webserver log and I'm gonna take a look in the ADCS logs.

I come back to you when I have more informations :)

[Seyfle]

I have my response, it's the user that can't create the certificate. To change the user that make the request I need to modify the user in the IIS-APP Pool ?

Thanks.

[glatzert]

Exactly - the AppPoolIdentity is used for all requests to the ADCS and thus need proper permissions.

[Seyfle]

Hello, I have changed the account in the App-Pool configuration but now i've the same error but now I don't have any ADCS logs anymore.

Is this normal ?

[glatzert]

Does ACME-ADCS still run with the new Identity? You should be able to request the path '/' for the service description. Also I, ACME-ADCS will log rather extensively, if you enable debug logging - but the account needs proper write permissions for your logging target. If nothing helps, Asp.net core will (most times) log into the event log. If that also does not help, you can redirect the stdout of aspnet core via web.config.

[Seyfle]

When I call "/"I get this {"newNonce":"http://svname/new-nonce","newAccount":"http://svname/new-account","newOrder":"http://svname/new-order","meta":{"externalAccountRequired":false}}

Can I ask you what "externalAccountRequired" mean ?

I think it might be the problem ?

And yes my app still run with my account (for the moment) that have right to write in the template that I give him.

In the APP log I got that {"@t":"2023-10-19T07:02:59.1274635Z","@m":"Try to issue certificate for CSR: CSR HERE","@i":"317fe2e9","@l":"Debug","SourceContext":"TGIT.ACME.Protocol.IssuanceServices.ADCS.CertificateIssuer"} {"@t":"2023-10-19T07:02:59.2202465Z","@m":"Exception has been raised during certificate issuance.","@i":"34777d5d","@l":"Error","@x":"System.ArgumentException: CCertRequest::Submit: Paramètre incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)\r\n at CERTCLILib.CCertRequestClass.Submit(Int32 Flags, String strRequest, String strAttributes, String strConfig)\r\n at TGIT.ACME.Protocol.IssuanceServices.ADCS.CertificateIssuer.IssueCertificate(String csr, CancellationToken cancellationToken)

[glatzert]

Hm - the message is very broad. Nevertheless I would assume that to be showing up at the ADCS (at least in Debug logs?) Only thing I found with my GoogleFu was a hint that the template might not be correct.

Perhaps you can logon as that user and check, if you would be able to get that certificate via mmc (to make sure the user / certificate are a valid combination)?

[Seyfle]

I try that and I come back to you.

Thanks for the help !

[Seyfle]

Hello,

After trying with an account that have all privileges I can't issue the cert with ACME. I think it comes beacause of the CSR, or fields that are not completed in the ADCS. Because I have the same error.

Did you know how I should configure this template ?

[glatzert]

I've always been using a copy of the Web Server Template and that worked fine, IIRC (I used ACME-PS for general testing, but also made sure it works with certbot here). It might be possible, that you need a CN, which is not necessarily set by e.g. certbot (or a template that does not require a CN to be present)

[siegy22]

Running into the same issue. Windows Server 2022, ACME-ADCS 1.0.3-beta, Dotnet 6 LTS.

System.ArgumentException: CCertRequest::Submit: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)\r\n   at CERTCLILib.CCertRequestClass.Submit(Int32 Flags, String strRequest, String strAttributes, String strConfig)\r\n   at TGIT.ACME.Protocol.IssuanceServices.ADCS.CertificateIssuer.IssueCertificate(String csr, CancellationToken cancellationToken) in E:\\Dev\\ACME-Server-ADCS\\src\\ACME.CertProvider.ADCS\\CertificateIssuer.cs:line 37","SourceContext":"TGIT.ACME.Protocol.IssuanceServices.ADCS.CertificateIssuer"}

Tried it with cert-manager and acme.sh

When setting up I assume I'm doing the right thing by setting the user in the pool's identity option, right?

I tried manually signing the CSR using certreq -submit -attrib CertificateTemplate:Webserver as same user that was set in the IIS identity field. That worked for me. 🤔

[glatzert]

That seems fine - I add a line of logging to be sure, the attributes for the request are properly set (V1.0.4)

[siegy22]

After updating to 1.0.4 I now have the same behavior as described in: https://github.com/glatzert/ACME-Server-ADCS/issues/14

(Also: yes also using acme.sh for testing purposes)

[glatzert]

You need to specifically allow empty CNs via config.

Am 09.11.2023 00:13 schrieb Yves Siegrist @.***>:

After updating to 1.0.4 I now have the same behavior as described in: #14https://github.com/glatzert/ACME-Server-ADCS/issues/14

— Reply to this email directly, view it on GitHubhttps://github.com/glatzert/ACME-Server-ADCS/issues/19#issuecomment-1802872434, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACNPDCEP7MDAOEF6SP65NTDYDQG3LAVCNFSM6AAAAAA6FR6YK2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMBSHA3TENBTGQ. You are receiving this because you modified the open/close state.Message ID: @.***>

[siegy22]

I don't get it, why would that be needed? acme.sh is setting the cname in the CSR. And also, it doesn't fix anything setting "AllowEmptyCN": to true/false.

[Seyfle]

Hello after updating to 1.0.4, I get this error : "Detected TGIT.ACME.Protocol.Model.Exceptions.MalformedRequestException. Converting to BadRequest.". It happend when requesting the "/new-order" path. Did this have a link with the current issue ?

[Seyfle]

Nevermind, it was a dumb configuration error..... The model name was invalid

Thanks for the help anyways. Have a good day !

[glatzert]

Hi there, I'm happy I could help by doing nothing 😄 But very good, it's working for you again.