V4 Beta test volunteers wanted

[webprofusion-chrisc]

Interested in testing the new v4 release of the app with support for the ACME v2 API, wildcard certs, API credentials manager and a bunch of other UI changes?

If so, and you have a server to test on (backup any previous config using the instructions below), please try it out. Leave a comment here to be notified when new test versions are available. Thanks!

---

Update - 4.0 has now been released. (Updated 2018/07/25, V 4.0.4)

Alpha/Beta/RC Release Notes:

V4 is a major update, including:

• Redesigned User Interface
• New status info and preview tabs
• Let's Encrypt v2 API including wildcard domain support (using the Certes library)
• All 64-bit
• DNS validation
  • Manual, Scripted or via API
  • DNS APIs Supported: Cloudflare, Azure, AWS Route53, GoDaddy, DnsMadeEasy, OVH, SimpleDNS, Alibaba Cloud DNS, Vote for other options.
• Stored credentials: manage protected DNS API credentials for auto renewals
• New certificate deployment options
• Preset example scripts for Exchange, Remote Desktop Gateway etc.

Release Candidate 1 Updates

• Fix important bug with AWS Route 53 DNS provider causing unintended deletes
• Implement manual DNS notifications (optional)
• Add new certificate cleanup process of expired certs created by the app
• General bug fixes
• Fix IDN certificate requests (regression)
• Fix invalid deployment matches for wildcard and root domains if only using a wildcard domain
• Minor UI updates

Beta 4 updates

• Test of version auto update (hence 4.0.1)
• Minor bug fixes
• Fix issue preventing new cert UI showing
• Work on issues related to running many http challenges
• Updated Chinese (za-Han) translation contributed by @iccfish
• New Japanese translation contributed by @haramizu

Beta 3 updates:

• New Alibaba Cloud DNS provider (Aliyun) - user contributed! @TkYu
• Custom propagation delay (pause before validation) in scripting DNS provider
• Implement DNS challenge record cleanup
• Implement multi-challenge website root path options
• Skip config check tests during requests if no recent failures
• Fix challenge validation issue combining wildcard domains with non-wildcard
• Fix exception stopping http challenge server if already stopped
• Fix error re-using Certes acme context
• Fix renew-all logic for items not yet requested (CSV imports etc)

Beta 2 updates:

• Lots of bug fixes & feature stablisation
• New Dns Zone Lookup option for DNS APIs (makes finding your DNS zone id much easier!)
• New SimpleDNS API provider (user contributed! @alphaz18 )
• Multi-challenge UI updates
• Other minor UI updates
• Release for v4 is getting close!

Beta 1 updates:

• Manual DNS validation option (doesn't yet send notification email but can do in the future)
• Scripted DNS provider
• New OVH DNS provider (user contributed! @laugel )
• New UI for multi-challenge config, this is useful if you need one cert but need to use multiple challenge configurations (different DNS provider/settings, or mix of HTTP and DNS validation)
• Experimental http challenge server, temporarily runs a port 80 server to compliment IIS etc, answering http challenges only.
• Dynamic reallocation of background service port (when port already in use, configurable)
• UI updates & bug fixes

Alpha 6 updates:

• Fix for determining root domain of zone (subdomains)
• Minor UI updates (validation), some accessibility labels
• Add warning for Server 2008 R2 and lower regarding lack of SNI

Alpha 5 updates:

• Fix for alpha 4 PFX corruption (certes update)
• New deployment matching process (auto, single site, all sites, various matching options)
• Preview UI updates & fixes
• Minor CLI option updates
• https://docs.certifytheweb.com

Alpha 4 updates:

• Credentials editor updates & Test Option
• GoDaddy DNS provider (contributed by @alphaz18 )
• DnsMade Easy DNS Provider

Alpha 3 updates:

• Fixes for Azure DNS provider
• Fixes for Preview
• DNS Check fixes
• DNS propagation Pause mode
• Additional checks for invalid wildcard/label mixes in cert request
• Update quick start guide UI

Alpha 2 updates:

• Significantly updated 'Preview' option UI
• Updated deployment matching
• New 'Test' results UI
• new CSV import options
• General bug fixes

Upgrading If you have a previous install on the server you are testing on:

* Backup the folder C:\ProgramData\Certify before upgrading
* Uninstall the existing app using Add or Remove Programs
* Don't skip either of these steps

How to revert to the old version (current release):

* Uninstall the v4 alpha version
* Delete the C:\ProgramData\Certify folder
* Restore your back of C:\ProgramData\Certify folder
* Restart Windows
* Install the current release again

Known Issues:

The app is now 64-bit, so check if you have any dependency on 32-bit (scripting use etc). Old scheduled tasks will no longer work as they will point to the removed 32-bit version. Scheduled Tasks are no longer required for renewals.

Please report any bug you find as a new issue, please also check first if it's already been reported.

See also the informal product roadmap: https://github.com/webprofusion/certify/blob/development/docs/roadmap.md

Discussion Forum: https://community.certifytheweb.com : note the forum does not use your certifytheweb.com dashboard account details if you have any, it has it's own set of usernames etc.

[johnabela]

I am up for giving it a go. I currently have three certs setup and running on an EC2 server. I have three or four additional domains that I could test it out on/with, that I just have not made the switch away from my rappidssl certs yet, but could do so.

[webprofusion-chrisc]

Thanks, the alpha version should be happening in the next week or two. Pretty big changes!

[telamon4ebe]

hello, have some test domains which I would like to test with the v4 version.

[macBender]

I have an IIS server and suitable domain for wildcard testing.

[lankaapura]

👍

[genxlee]

Interested

[ThePixelatedOne]

Would love to test this in our test environment running IIS, and hopefully move it to live once it's out of Alpha/Beta. Currently have a GoDaddy wildcard cert we'd like to get rid of.

[markive]

Interested..

[webprofusion-chrisc]

Quick question to those interested in the beta:

• Is anyone still running a 32-bit version of Windows (server, i.e. can we get rid of 32-bit support)?
• Can everyone run the required (v4) minimum of .Net Framework 4.6.2?

Currently the new version target's .net 4.6.2 so that we can reference the latest versions of the IIS Administration APIs. I'm contemplating going 64-bit only so that people who use PowerShell scripts can expect a 64-bit environment by default.

[Tony1044]

Hi Chris. Very interested in testing. All 64 bit here but if you ever needed, I could eat stand up a 32 bit server should you require it

[markive]

Not running 32-bit but can handle latest version of .Net

[johnabela]

I am running 64 and have 4.6.2 installed.

[Jaggl-AT]

I am also Interested... 👍

[webprofusion-chrisc]

Next question: if you use a cloud DNS provider (who have an API) which one do you use? Planning to target AWS Route 53, Azure and CloudFlare in this first release.

DNS validation (creating a random TXT record in your domains DNS zone) is required by Let's Encrypt in order to request wildcard certs, it's also useful if you can't do normal http-01 validation through port 80.

[markive]

Cloudflare

[suckmyhardware]

I'm also interested :)

[Sebastian1989101]

I have two servers available for testing. Are there already more exact plans when the Alpha/Beta for v4 will arrive?

[webprofusion-chrisc]

@Sebastian1989101 It's only myself that regularly does any work on the app, and I have a day job as well, so it just gets done when there's time. v4 has a bunch of necessary UI changes as well as big changes to the internals and that has resulted in a lot of work to do. I'm at the stage where I'm fixing bugs and ironing out obvious issues, so it could be next week or later. We're coming into the Easter holiday period and I have family stuff on so that could delay things, but I'm hoping to start getting test versions out before then.

[Tony1044]

Appreciate all of your hard work on it, Chris. I'm not a coder but have a bunch of servers running various things form Linux through various Windows versions so anything I can do to help test or iron out things just feel free to holler.

[djpbessems]

I'm willing to test as well. Not using a cloud based DNS provider, just TransIP, who sadly only have a very clunky php-based API...

[FlixSir]

I'm interested :)

I have some IIS servers and suitable domains for wildcard testing. The server are running on different verions of Windows Server. (2012,2012r2 and 2016)

[luetze]

I'm interested I have some IIS running based on Win Server 2016.

[boscorelly]

Hi,

i can do this on 2012, 2012r2 and 2016

[VulkanX]

Also interested in testing it out, we have a few servers and a test environment that I would love to test this on.

[MichaelLuttmer]

Hi, i can do this on Windows Server 2016

[stibra]

I can test on Windows 2012 R2 and 2016

[rootal1123]

I can test on Windows 10 & Server 2016

[Boxx1e]

Can test on Server 2012r2/2016

[Thayios]

Can test on Server 2016 preferably (I utilize for RDS), or really anything you need (have a vSphere Cluster for Home Lab).

[tomaql]

Please could we have access to the beta? We have an internal IIS server which is not accessible from the internet and would like to test the DNS validation.

Cheers, Tom

[webprofusion-chrisc]

Update: Current estimate is that there is about 20hrs of dev time left to get to the beta version, which should hopefully mean beta availability in about a week or so, depending on how remaining dev and initial testing goes.

[robertcharles]

We have several IIS running a mix of 2008/12/16 servers that are used for testing. We host 2 of our own Bind instances. Do you plan anything for those?

[SympleNZ]

Very interested in testing. 2016 Server, want to test out the wildcard support and ditch GoDaddy.

[WoRsTiG]

If you're still looking for more testers, i'd like to participate too. Server 2016, 3 (appliable for wc) domain names, 6 iis sites, 11 bound hostnames, SNI enabled

[counterfitninja]

Happy to help out. 2016 server so happy to test things out

[Phobos881]

I'm interested :)

IIS 8.5 and NetScaler!

[JBirdV1]

Happy to test if there is still spaces in the beta

[bodforss]

im up for the wildcard challenge :)

[brianparvin]

I am willing to test, interested in the wild card functionality

[BigApple1988]

Hello! I'm interested too. Want to test wildcard functionality

[webprofusion-chrisc]

Ok, if you're feeling brave the v4 Alpha 1 link has been included in the updated issue description above. This is a work in progress which has had a massive amount of changes, features can and will changes and several features are incomplete.

If you foolishly choose to use it on a production server (like I do) you should ensure you have complete confidence in your ability to restore from backup. At this stage use in production is unsupported and really not recommended.

v4 Alpha 1 is less of a test version, more of a proof of concept - several features are incomplete and not worth reporting bugs on, but if you have observations please share them, particularly if you feel any feature is dangerously buggy or if something was too difficult to achieve.

For those interested in wildcard domains - DNS validation is required and we currently only support Cloudflare, Azure and AWS Route53 with more to come. There is no manual DNS validation option and currently no scripting option etc. Please vote for other cloud DNS providers if you use them.

The cool part about DNS validation (and wildcards) is you can optionally generate (and renew) certificates on your desktop machine, then deploy however you like (scripting etc), which is an interesting departure from the server controlled validation we're used to.

[Tony1044]

Thanks Chris

My DNS provider isn't really a cloud based one at all - it's DNS exit, so really will need a manual option at some point please

On 1 April 2018 at 13:34, Christopher Cook notifications@github.com wrote:

Ok, if you're feeling brave the v4 Alpha 1 link has been included in the updated issue description above. This is a work in progress which has had a massive amount of changes, features can and will changes and several features are incomplete.

If you foolishly choose to use it on a production server (like I do) you should ensure you have complete confidence in your ability to restore from backup. At this stage use in production is unsupported and really not recommended.

v4 Alpha 1 is less of a test version, more of a proof of concept - several features are incomplete and not worth reporting bugs on, but if you have observations please share them, particularly if you feel any feature is dangerously buggy or if something was too difficult to achieve.

For those interested in wildcard domains - DNS validation is required and we currently only support Cloudflare, Azure and AWS Route53 with more to come. There is no manual DNS validation option and currently no scripting option etc. Please vote for other cloud DNS providers if you use them.

The cool part about DNS validation (and wildcards) is you can optionally generate (and renew) certificates on your desktop machine, then deploy however you like (scripting etc), which is an interesting departure from the server controlled validation we're used to.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/webprofusion/certify/issues/270#issuecomment-377783739, or mute the thread https://github.com/notifications/unsubscribe-auth/AJKmSTyiDMdI7NofW_MdZhDgL5-zSdQFks5tkMk5gaJpZM4Spp6V .

[TimDawgz]

When you say Azure is a compatible DNS provider does that include Office 365 aka MS Hosted Exchange? I regularly use O365 to host DNS for many of the instances that I manage.

[webprofusion-chrisc]

@Tony1044 for manual DNS updates the current plan is to add an interactive UI that prompts you to create the required TXT record. For auto-renewal the idea is to possibly send you an email asking you to create the TXT record(s), then to auto detect when that change has been completed and then perform the renewal as usual. I would suggest being wary of DNS providers who can't offer an API to update TXT records and instead switch to Cloudflare, Azure DNS or AWS Route 53 etc as many of them are low/no cost.

@TimDawgz apparently O365 DNS is a different API and their current recommended API is MS Graph, for which the DNS endpoints are beta service that aren't supposed to be used in production. So direct support of that is probably some way off.

However we will be adding support for scripted DNS updates (so other APIs that can be scripted against, you can provide a script for). We may also be offering a python based add-on to optionally use apache libcloud (here are their supported services: http://libcloud.readthedocs.io/en/latest/dns/supported_providers.html)

[webprofusion-chrisc]

On the topic of DNS providers, if we offered our own API for updating a variety of different DNS providers (rather than attempting to bundle multiple providers and keep new ones up to date) would that be of interest to people?

The pro's and con's include:

Pros:

• The app can automatically enable new DNS providers as they become available in the API without requiring software updates
• Less requirement for custom scripting
• No requirement to bundle lots of providers or plugins (our embedded python solution would need to be an extra 12MB download and needs to be setup properly)

Cons:

• It costs us money to run a central API service
• Credentials for DNS APIs would need to be sent to us to perform DNS operations, however we don't need to store these.
• If the API has downtime then any dependant DNS renewals would fail (but would be retried later)

[Thayios]

Go for a premium model for API access. Use fall back for standard. I would gladly pay to have this work 100% of the time, maybe even a support email if it fails.

[JohnAbassian]

Interested in beta, please and thanks :)

[Tony1044]

@Chris...I've moved one of my domains DNS to Azure for testing purposes :) Thanks for the heads up.

In terms of you guys running an API I think it's something most people would be happy to pay for to be honest, especially if it comes with (even email) support? Personally I wouldn't mind a small monthly or annual payment.

On 2 April 2018 at 06:48, Christopher Cook notifications@github.com wrote:

On the topic of DNS providers, if we offered our own API for updating a variety of different DNS providers (rather than attempting to bundle multiple providers and keep new ones up to date) would that be of interest to people?

The pro's and con's include:

Pros:

• The app can automatically enable new DNS providers as they become available in the API without requiring software updates
• Less requirement for custom scripting
• No requirement to bundle lots of providers or plugins (our embedded python solution would need to be an extra 12MB download and needs to be setup properly)

Cons:

• It costs us money to run a central API service
• Credentials for DNS APIs would need to be sent to us to perform DNS operations, however we don't need to store these.
• If the API has downtime then any dependant DNS renewals would fail (but would be retried later)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/webprofusion/certify/issues/270#issuecomment-377860578, or mute the thread https://github.com/notifications/unsubscribe-auth/AJKmSbYnh14FidrBu0Q2QlYccESHT0leks5tkbuUgaJpZM4Spp6V .

[swinster]

Certainly interested in the beta, especially on DNS validation with wildcards. Currently using DNSMadeEasy API integration with the ACMEsharp client.

I wonder too, is it possible to auto renew the same cert that is applied to an ftp site in iis?

[webprofusion-chrisc]

@swinster currently we don't directly support updating an ftp server certificate but you can definitely do it with a post-request powershell script.