search

win-acme / win-acme

A simple ACME client for Windows (for use with Let's Encrypt et al.)
https://www.win-acme.com/
Apache License 2.0
5.28k stars 816 forks source link

unable to renewal and bind to ISS with version 2.1.22.1 #2136

Closed csireesh closed 2 years ago

csireesh commented 2 years ago

Describe the bug A clear and concise description of what the bug is.

Log 2022-05-25 11:20:20.007 -04:00 [INF] Arguments: --renew --baseuri https://acme.sectigo.com/v2/OV 2022-05-25 11:20:20.062 -04:00 [INF] Software version 2.1.22.1267 (release, pluggable, standalone, 64-bit) started 2022-05-25 11:20:20.063 -04:00 [INF] Connecting to "https://acme.sectigo.com/v2/OV"... 2022-05-25 11:20:27.721 -04:00 [ERR] Initial connection failed, retrying with TLS 1.2 forced System.Exception: Server returned status Forbidden:Forbidden at PKISharp.WACS.Clients.Acme.AcmeClient.CheckNetworkResponse(HttpResponseMessage response) at PKISharp.WACS.Clients.Acme.AcmeClient.CheckNetwork() 2022-05-25 11:20:35.616 -04:00 [ERR] Unable to connect to ACME server at "https://acme.sectigo.com/v2/OV" System.Exception: Server returned status Forbidden:Forbidden at PKISharp.WACS.Clients.Acme.AcmeClient.CheckNetworkResponse(HttpResponseMessage response) at PKISharp.WACS.Clients.Acme.AcmeClient.CheckNetwork() 2022-05-25 11:20:35.693 -04:00 [INF] Scheduled task looks healthy 2022-05-25 11:20:35.693 -04:00 [INF] Please report issues at https://github.com/win-acme/win-acme 2022-05-25 11:20:36.295 -04:00 [INF] Renewing gccappwdiad2355.aws.etscloud.org 2022-05-25 11:20:36.310 -04:00 [WRN] Using cache for *****.org. To get a new certificate within 1 days, run with --force. 2022-05-25 11:20:36.386 -04:00 [INF] Store with CertificateStore... 2022-05-25 11:20:36.402 -04:00 [WRN] Certificate with thumbprint FCE4A568510049B3FB4C064493670703C681A142 is already in the store 2022-05-25 11:20:36.414 -04:00 [INF] Installing with IIS... 2022-05-25 11:20:36.519 -04:00 [INF] No bindings have been changed while updating site 2

Platform:

WouterTinus commented 2 years ago

I don't necessarily see a bug here. You renew shortly after the certificate has been requested, so you get the same one from local cache and therefor no changes to IIS are needed. Please provided more detailed information if you think you've actually found a bug.

csireesh commented 2 years ago

for renewal test, we added 1 day in RenewalDays in Settings.Json we installed certificate by passing ACME account details as below and cert was issued and updated IIS binding sucessfully. But the ACME account details are not storing in PROGRAMDATA/win-acme. Due to this behavior we are seeing error in logs as "[ERR] Unable to connect to ACME server"

.\wacs.exe --source manual --host $wacsHost --friendlyname $FQDN --installation iis --installationsiteid $IISSiteID --sslport $SSLPort --emailaddress $EMAIL --certificatestore My --accepttos --eab-key-identifier $eabKeyIdentifier --eab-key $eabKey

WouterTinus commented 2 years ago

That's not what these logs are showing. No attempt was made to actually order a certificate yet because it was too soon after creation. You can use the --force switch to force a renewal.

This error shows a 403 status code returned from https://acme.sectigo.com/v2/OV, nothing else That may have been a transient error at the providers side or some firewall/proxy standing in the way. For now I'm going to assume that this is not a bug and convert to a Q&A discussion.