search

ohadschn / letsencrypt-webapp-renewer

[PLEASE USE FREE MS MANAGED CERTS INSTEAD] Simple WebJob-ready console application for renewing Azure Web App SSL certificates
https://www.ohadsoft.com/
Apache License 2.0
282 stars 51 forks source link

Doesn't update site #42

Closed kijanawoodard closed 6 years ago

kijanawoodard commented 6 years ago

I looked through the closed issues and didn't see this. It could also be something I missed in the docs...

I have a dedicated web app with letsencrypt-webapp-renewer running as a web job. The logs look good and I get an email confirming the new cert. Wehn I go to the web app that needs https, I see the new cert added to the list of certs, but it's not assigned to the web app.

Is this a known limitation? Is there something I can do to make this 100% hands free?

Fwiw, this is so much easier than what I was doing with ssl for free that if I have to go in and manually set the cert, so be it. Thanks for working on this!

ohadschn commented 6 years ago

Hi @kijanawoodard,

The process should be 100% hands-free, that was the intention all along.

Could https://github.com/ohadschn/letsencrypt-webapp-renewer/issues/12 be the issue you're facing? Namely, the cert has actually been bound but the portal needs to be refreshed for this to be reflected in the GUI.

The best way to make sure the certificate has been installed successfully is https://www.ssllabs.com/ssltest/

And thank you for the kind words, you are most welcome!

kijanawoodard commented 6 years ago

My issue looks similar or the same. My site is still using the old cert (clicking through the lock on chrome) and the new cert is in my azure account.

I also notice that I got a new cert on th 15th when my old cert was on the 13th even though I have renew 45 days set.

My best guess is something that the person in the other thread did. The binding has to not be set, at least the first time the web job runs.

I'll try that the next time I can tolerate an outage and am on a machine more powerful than my phone. :-)

kijanawoodard commented 6 years ago

That was it!

For future readers, make sure your web app has no existing bindings before you run the renewer web job.

ohadschn commented 6 years ago

Thanks for figuring it out and sharing!

BTW, note that Chrome can cache the old cert for a while, making you think the new cert isn't served when it in fact is. As I mentioned above, something like SSL Labs would be a better test. Or at least a different browser (I like Firefox for such tests).

kijanawoodard commented 6 years ago

Yeah, I had to wait a bit after disabling the bindings to see that all the sites had ssl removed in chrome. I'll try SSL Labs in the future. Thanks.