Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Manual Plugin Renewals #195

Closed
LBegnaud opened this issue Apr 12, 2016 · 20 comments

Comments

Projects
None yet
@LBegnaud
Copy link
Collaborator

commented Apr 12, 2016

I have setup a handful of servers using the manual plugin, after setting up a number more using the IIS plugin.

IIS plugin obviously works flawlessly for renewals and updating the bindings. I was pretty sure i tested it, but I just verified the behavior in the code and it looks like the renewal function is overloaded to just say "WARNING: Unable to renew" for the manual plugin.

I'm a bit confused by this behavior, as the scheduled task is still installed to renew. I've never done it but i guess you can have multiple certs for the same user on the same server and the same task will attempt to renew them all?

At any rate, I'd like to open up the discussion on whether or not we can get the option to have the manual plugin renew certs.

@rkerber

This comment has been minimized.

Copy link
Collaborator

commented Apr 12, 2016

A new feature that hasn't been tested that much is the ability to run a script after generating a cert. Right now that works for the manual, FTP, and WebDav plugins only for install since none of those plugins currently support renewal.

I wouldn't see any issue with adding in renewal for those plugins if a script is specified. The script doesn't have to do anything besides exist and be executable by the user running it.

If a script isn't specified, should it still do a renewal? If the cert is renewed, but the admin doesn't realize it, they won't get an email from Let's Encrypt telling them it's going to expire since it will already have been renewed, so then they might forget about it and their cert might expire.

@rkerber rkerber added the question label Apr 12, 2016

@LBegnaud

This comment has been minimized.

Copy link
Collaborator Author

commented Apr 12, 2016

That is an interesting point about not getting the email. We have a monitoring system that alerts us if the cert is close to expiration, so I didn't think about that. Maybe an option like the one to run the scheduled task as a different user? Default to not renew, but give the option to renew.

@rkerber

This comment has been minimized.

Copy link
Collaborator

commented Apr 12, 2016

That would probably work, or maybe it should be a command line argument. That way it could be done unattended. If it's an argument, I almost think the default should be to renew, and the argument is to not renew.

@LBegnaud

This comment has been minimized.

Copy link
Collaborator Author

commented Apr 12, 2016

I'm fine with whatever you want as long as it's documented :)

@rkerber rkerber added enhancement and removed question labels Apr 12, 2016

@nicgord

This comment has been minimized.

Copy link

commented Apr 13, 2016

Great idea for this and happy to test when ready.

@LBegnaud

This comment has been minimized.

Copy link
Collaborator Author

commented Apr 13, 2016

I'm not familiar with the code to know how difficult this change is. Any estimate of complexity so I can get an idea of an ETA?

@rkerber

This comment has been minimized.

Copy link
Collaborator

commented Apr 13, 2016

It's not that difficult, but it's going to take a while to code and much much longer to test.

It's also not the top priority according to the enhancement voting.

However, it could almost be tied in with #151. So it will still be a while, but it might be in the next release.

@LBegnaud

This comment has been minimized.

Copy link
Collaborator Author

commented Apr 13, 2016

I understand. Thanks for the clarification.

@LBegnaud

This comment has been minimized.

Copy link
Collaborator Author

commented Apr 18, 2016

I just had one of our servers update using the manual plugin. I was even more confused, so I looked into it.

The ManualPlugin.cs from version 1.8 contains no "public override void Renew(Target target)", but version 1.9 does.

Unfortunately, I am not great at browsing history of particular files in github... but it seems like the change was made to facilitate manual SAN runs.

I tested and implemented using 1.8 and it worked great. So I assumed it would still function the same with 1.9 with a little more functionality (being able to generate SANs is great!).

Any idea where that commit happened to see the reasoning behind putting in that limitation of the manual plugin?

@rkerber

This comment has been minimized.

Copy link
Collaborator

commented Apr 18, 2016

That happened when the plugin architecture changed to support renewals for the FTP and WebDAV plugins. However, I never finished getting that finished working.

@LBegnaud

This comment has been minimized.

Copy link
Collaborator Author

commented Apr 18, 2016

oh I see

@eliotcougar

This comment has been minimized.

Copy link

commented May 20, 2016

Please, take into account the web-server setup scenario "Apache on Windows"... In other words, manual mode is very much needed...

@rkerber

This comment has been minimized.

Copy link
Collaborator

commented May 20, 2016

It is intended to support this again with the ability to run scripts on renewal.

However, right now this is towards the end of the list of enhancements as only 2 people have said they want it. If you want it, give the issue a thumbs up.

@GurliGebis

This comment has been minimized.

Copy link

commented Jun 13, 2016

I'm currently using this, following this guide to get it all working with WAP and centralized ssl: https://forums.servethehome.com/index.php?resources/letsencrypt-a-2012-r2-web-application-proxy.16/

The problem is, all the certificates is created using the manual method, so renewal is not working.
All it should do, is just renew them, and overwrite the pfx files with the new ones.

@ecc256

This comment has been minimized.

Copy link

commented Jun 20, 2016

Wanna chime in about a single certificate renew using manual plugin.
I understand, the LE API renew is for updating multiple certificates at once (using exact the same parameters as when the certificates were initially requested)
If we want to renew a single certificate, we essentially need to do the same as initial certificate request, except skip KEY and CSR generation and start with domain validation (i.e. re-validation) and then use old CSR.
Am I wrong about it?

@ritsute

This comment has been minimized.

Copy link

commented Jun 30, 2016

Ran into the same problem, had a shock when cert expired. (email was sent to administrator so i never saw it)
Had to resort to "letsencrypt.exe --accepttos --manualhost www.example.com --webroot C:\Apache24\htdocs\example" to force renew.

@DavidRawling

This comment has been minimized.

Copy link

commented Jul 20, 2016

I am the author of the guide at servethehome.com. I too have been bitten by the manual "bug" and I'm working on a way to not have that problem again - I'll update the guide with the new process.

@ritsute

This comment has been minimized.

Copy link

commented Aug 15, 2016

Since this is still not fixed, for Apache manual users, you can add this to your scheduler.
Please set frequency to either 30 days or 60 days as there is Rate Limits on the "renewal".

renewal.bat:
echo n | C:\letsencrypt\letsencrypt-win-simple.V1.9.1\letsencrypt.exe --accepttos --manualhost www.example.com --webroot C:\Apache24\htdocs\

Tips on Task Scheduler:
Run whether user is logged on or not.
Run with highest privileges.
Triggers: Monthly.
Action: Start a Program.
Program/script: C:\Users\Username\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\renewal.bat
Add arguements: renewal.bat
Start in: C:\Users\Username\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org

This results in an error from trying to read from console, but your cert will be renewed.

System.InvalidOperationException: Cannot read keys when either application does
not have a console or when console input has been redirected from a file. Try Console.Read.
at System.Console.ReadKey(Boolean intercept)
at LetsEncrypt.ACME.Simple.Program.PromptYesNo()
at LetsEncrypt.ACME.Simple.Program.Auto(Target binding)
at LetsEncrypt.ACME.Simple.Plugin.Auto(Target target)
at LetsEncrypt.ACME.Simple.ManualPlugin.PrintMenu()
at LetsEncrypt.ACME.Simple.Program.Main(String[] args)

Alternatively, use https://github.com/Lone-Coder/letsencrypt-win-simple/releases/download/v1.8/letsencrypt-win-simple.v1.8.zip

@s-berney

This comment has been minimized.

Copy link

commented Feb 20, 2017

If you would like to compile yourself, you can add this modification, that allow creation of "san" certificate with command line argument :

Add this on "Options.cs" file :

        [Option(HelpText = "Alternate's host(s), comma separated")]
        public string AltHost { get; set; }

And on file "/Plugin/ManualPlugin.cs", replace the "PrintMenu()" function by this one :

public override void PrintMenu()
        {
            if (!String.IsNullOrEmpty(Program.Options.ManualHost))
            {
                string[] alternativeNames = null;
                List<string> sanList = null;
                if (Program.Options.San && !String.IsNullOrEmpty(Program.Options.AltHost))
                {
                    var altInput = Program.Options.AltHost;
                    alternativeNames = altInput.Split(',');
                    sanList = new List<string>(alternativeNames);
                    
                    if (sanList == null || sanList.Count <= 100)
                    {
                        var target = new Target()
                        {
                            Host = Program.Options.ManualHost,
                            WebRootPath = Program.Options.WebRoot,
                            PluginName = Name,
                            AlternativeNames = sanList
                        };
                        Auto(target);
                    }
                    else
                    {
                        Console.WriteLine(
                            $" You entered too many hosts for a SAN certificate. Let's Encrypt currently has a maximum of 100 alternative names per certificate.");
                        Log.Error(
                            "You entered too many hosts for a San certificate. Let's Encrypt currently has a maximum of 100 alternative names per certificate.");
                    }
                }
                else
                {
                    var target = new Target()
                    {
                        Host = Program.Options.ManualHost,
                        WebRootPath = Program.Options.WebRoot,
                        PluginName = Name
                    };
                    Auto(target);
                }
                
                /*var target = new Target()
                {
                    Host = Program.Options.ManualHost,
                    WebRootPath = Program.Options.WebRoot,
                    PluginName = Name
                };
                Auto(target);*/
                Environment.Exit(0);
            }

            Console.WriteLine(" M: Generate a certificate manually.");
        }

Now you can use this command line :
letsencrypt.exe --san --manualhost www.mydomain.com --althost www.mydomain.com,mydomain.com,xxx.mydomain.com

@mbeiley

This comment has been minimized.

Copy link

commented Mar 17, 2017

This pull request worked for me to get around this issue.

#299

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.