A specified logon session does not exist

[ScottRFrost]

Windows Server 2016 - Fully updated - Not domain joined - Logged in as Local Administrator.

I created the config file (C:\Users\ZZZ\Downloads\EcdsaAcmeNet\Configuration\yyy.xxx.com\config.xml):

<?xml version="1.0" encoding="utf-8"?>
<CertificateConfiguration>
  <Email>support@xxx.com</Email>
  <Domain>xxx.com</Domain>
  <WebRoot>C:\inetpub\yyy.xxx.com</WebRoot>
  <IisSiteName>yyy.xxx.com</IisSiteName>
  <Aliases>
    <Alias>yyy.xxx.com</Alias>
  </Aliases>
</CertificateConfiguration>

Then ran the following commands in an administrator command prompt

cd C:\Users\ZZZ\Downloads\EcdsaAcmeNet
EcdsaAcmeNet -p PasswordHere

It correctly created the certificate, but seems to have added it to IIS in a way that it can't use it. The binding ended up set as no SSL cert and if I went in and tried to pick the cert I got:

---------------------------
Edit Site Binding
---------------------------
There was an error while performing this operation.

Details: 
A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)

As a workaround, I deleted the cert from IIS, then imported the PFX manually (to personal, not to web hosting and with 'allow to be exported' checked) and was then able to manually apply it. However, I wouldn't want to have to go back and do this every 90 days. This SO question may be related - https://stackoverflow.com/questions/14953132/iis-7-error-a-specified-logon-session-does-not-exist-it-may-already-have-been#25854919 . In trying to fix it, I gave Administrators group full control of C:\ProgramData\Microsoft\Crypto\RSA\MachineKey and that did not resolve the issue.

As a separate but related issue, I had a http site set up for port 80 of yyy.xxx.com that did nothing but redirect to 443/https. I had to remove this site and add the 80 binding to the yyy.xxx.com site to get it to work. Not really a bug, but something that could automate allowing http, do the ACME challenge, then disable/redirect http to https would be great!

[vrbyjimmy]

Hi,

this utility is designed in a manner that it can only re-assign newly generated certificate in already existing site binding. So in order to set up SSL protocol on newly added site, you must first generate certificate using standard binding on port 80 - leave IisSiteName in xml empty. Once you have the certificate, you can manually set up all SSL bindings you need and than add IisSiteName to xml and auto re-generate certificate on periodic basis. This is due to that each site can have different SSL site settings, one can for example use only binding without www, or with SNI support etc. which gets most likely setup only once and then only change of certificates is needed. So you must always assign all needed bindings on site manually and then use this utility to change certificate in bindings that you manually created.

As for issue with ports. ACME challenge always gets resolved on port 80, so if you only want to support port 443, you must set a redirect on that site (using url rewrite for example), but you must leave port 80 still reachable. I suspect that issue you are describing was caused by the fact that site was not yet set up for ssl binding and so manual setup was needed as described above.

I hope this helps, if not feel free to let me know.

[vrbyjimmy]

Ok, now I feel like I have left the most important part out. Once you have bindings with SSL certificate on given site, the utitlity automatically changes certificates in all bindings with certificate set, sou you don't have to manually install certificate each 90 days but just once per each site.

I use this utility in windows service that auto re-assings all the certificates on my sites every month. No user input needed once you have your site bindings set.

Regards, Jimmy

[ScottRFrost]

The site was already created and the bindings were already set. Even if I run it again now (with a currently installed cert from the app), I receive the error. It looks like it's some kind of permission problem, but I can't nail it down without more information.

[vrbyjimmy]

Maybe this could help you. https://blogs.technet.microsoft.com/askperf/2012/04/18/task-scheduler-error-a-specified-logon-session-does-not-exist/ i ran IT on ws2016 with no errors

[ScottRFrost]

Just checked and that's set to Disabled on mine. I haven't manually edited any group policy settings on the server I'm testing on. It's pretty much stock config other than adding IIS role, installing MS SQL, and running https://www.nartac.com/Products/IISCrypto/ . Maybe the IIS Crypto tool broke it. I'll keep digging to see if I can nail down what's causing it.

[vrbyjimmy]

I use iis crypto aswell and didnt se that error... Maybe try to disable UAC and see if it help?

Dne 17. 1. 2017 16:34 napsal uživatel "Scott R. Frost" < notifications@github.com>:

Just checked and that's set to Disabled on mine. I haven't manually edited any group policy settings on the server I'm testing on. It's pretty much stock config other than adding IIS role, installing MS SQL, and running https://www.nartac.com/Products/IISCrypto/ . Maybe the IIS Crypto tool broke it. I'll keep digging to see if I can nail down what's causing it.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/vrbyjimmy/EcdsaAcmeNet/issues/1#issuecomment-273203041, or mute the thread https://github.com/notifications/unsubscribe-auth/AXR7XNSc-RcCEelspfsPxEGfV7pOeHmxks5rTN-VgaJpZM4LiL3Q .

[ScottRFrost]

I can reproduce the error if I manually import the cert with "allow to be exported" UNCHECKED.

I'm not sure what this checkbox actually does under the hood. Can you add a flag to importing into IIS as "allow to be exported" to the tool?

[vrbyjimmy]

I'll look more to this issue...

[ScottRFrost]

Both RapidSSL and Thawte recommend this as a solution

Edit: It sounds like letsencrypt-win-simple was also having this issue, but fixed it in version 1.1, the dev replied with "I've found the problem and will be creating a new build soon. The certs are not getting placed into the certificate store correctly so they are not actually usable in the current build.". I believe this is the commit

[vrbyjimmy]

I updated the code and released new version v2. Also install as windows service is now supported when monthly automatic re-generation of certificates is wanted, so you can give it a try. I hope this resolves the issue.

Jimmy

[ScottRFrost]

I'm not sure if this was intended or not, but 2.1 appears to not be able to be run interactively and you MUST install it as a service. If you run it without -i or -u, you get:

---------------------------
Windows Service Start Failure
---------------------------
Cannot start service from the command line or a debugger.  A Windows Service must first be installed (using installutil.exe) and then started with the ServerExplorer, Windows Services Administrative tool or the NET START command.

I installed it as a service with -i and then started the service manually and it looks like it worked! I believe you can mark this issue as resolved now.

However, the service appears to have forgotten to delete intermediary .pem and .der files:

[vrbyjimmy]

yep, that is now the behaviour if you run it without param, if you want to use it as commandline, you must specify some parameters, -p "password" at least.

As for .pem and .der files there is no logic trying to remove these as they are only just different formatted cert files which can be used for generating the certificate in other than pfx format using OpenSsl.

I'm closing this issue now than.

[ScottRFrost]

yep, that is now the behaviour if you run it without param, if you want to use it as commandline, you must specify some parameters, -p "password" at least.

It might be worth mentioning this when the app is run without parameters, or at very least in the README.md. More useful to the end user than the Windows Service Start Failure message.

Thank you for the great app!