Installing a Certificate to IIS webapplication (Windows Server 2016). #24
Comments
DanielBrownAU
changed the title
|
This issue stems from the compatibility mismatch with the bitness of the PS session and the IIS management module. Right now the PS module has to run in a 32-bit session, this is due to the dependency on the OpenSSL native library. The IIS management module in PS is only 64-bit on a 64-bit machine (don't know if it works on 32-bit machine). I'm actually working on addressing the 32-bit issue right now indirectly by externalizing all the PKI management stuff and that will remove the 32-bit requirement, and should fix this problem too. |
|
Ah ok, so its a known side effect of the bitness. Thanks for the information! Thanks for your efforts on this project. -DB |
|
@DanielBrownAU, the code has been updated to detect and handle support for both 32-bit and 64-bit platforms. Would you be able to test this out in your configuration and confirm it's working for you now? |
|
Will do, tho I think I got rate limited when I gto accepted into the beta, with the other error. Will give it a try now |
|
Yeah, im still getting this: (have replaced my email) PS C:\vv5> New-ACMERegistration -Contacts mailto:SOMEONE@NOONE.COM StatusCode : InternalServerError |
|
Just gave it a try, finally got the certificate issued. (via the 'x64' Powershell) PS C:\v1> Install-ACMECertificateToIIS -Certificate cert2 -WebSite "SharePoint - www.danielbrown.id.au80" -Replace
Oh so close! (Windows Server 2016 Tech Preview 3) |
|
follow up note: It is actually in the IIS store... just not on the web (i did have my happy hacker cert installed ) update #2... when trying to swap the cert in IIS Manager, im getting the exactly same error in a message box.. rebooting the server |
|
to be fair, i think it has something to do with the certificate being exportable. Removing it from IIS and reporting it as exportable solved the issue in IIS manager |
|
So the COM issue you had in the original post was definitely an issue with the architecture, and it looks like that's ok now that there is explicit 32-bit/64-bit support. The InternalServerError message shows an HTTP 500 response which means there was some error happening on the server (LetsEncrypt STAGE or BETA) and I've seen these occasionally myself, and even on the AppVeyor automated CI build, but it seems to clear itself up after a while. For example, here vs. here. And as you indicated it looks like you retry succeeded the second time. Now, I'm not quite sure I follow what the issue is in your last couple of comments? Are you suggesting it's an issue with the local system's store, so it's not an ACMESharp issue? |
|
Hey mate. The import of the certificate worked with the scripts, but assigning it to the web application failured. When I did a manual import, I can produce the same error. When I ticked 'Exportable' in IIS, when I manually imported the generated certificate, it went thru with no issue. The Install-ACMECertificateToIIS will need to import the certificate to IIS as an "exportable" certificate. Sorry any confusion. -DB |
|
Thanks for the heads up, I'll incorporate that feedback into the installer. |
When running the following on Windows Server 2016 Server IT Preview 3 via PowerShell v5 x86. I am coming across this error while attempting to replace the certificate.
PS C:\Vault2> Install-ACMECertificateToIIS -Certificate cert12 -WebSite "SharePoint - www.danielbrown.id.au80" -Replace
WARNING: Params:
WARNING: * F72C33EFE5C23AC4C83360D3A493E0540488042D
WARNING: * C:\Users\administrator.VEXTHAL\AppData\Local\Temp\2\tmp7F23.tmp
WARNING: * 0
WARNING: * False
WARNING: * True
WARNING: * System.Collections.Hashtable
WARNING: * System.Collections.Hashtable
Exception calling "Invoke" with "1" argument(s): "Retrieving the COM class factory for component with CLSID
{688EEEE5-6A7E-422F-B2E1-6AF00DC944A6} failed due to the following error: 80040154 Class not registered (Exception
from HRESULT: 0x80040154 (REGDB_E_CLASSNOTREG))."
At C:\temp\ACMEPowerShell\ACMEPowerShell-IIS\ACMEPowerShell-IIS.psm1:214 char:3
Likewise if i attempt to install a fresh certificate (and not replace the existing).
PS C:\Vault2> Install-ACMECertificateToIIS -Certificate cert12 -WebSite "SharePoint - www.danielbrown.id.au80" -Port 443
WARNING: Params:
WARNING: * F72C33EFE5C23AC4C83360D3A493E0540488042D
WARNING: * C:\Users\administrator.VEXTHAL\AppData\Local\Temp\2\tmp8DA8.tmp
WARNING: * 0
WARNING: * False
WARNING: * False
WARNING: * System.Collections.Hashtable
WARNING: * System.Collections.Hashtable
Exception calling "Invoke" with "1" argument(s): "Retrieving the COM class factory for component with CLSID
{688EEEE5-6A7E-422F-B2E1-6AF00DC944A6} failed due to the following error: 80040154 Class not registered (Exception
from HRESULT: 0x80040154 (REGDB_E_CLASSNOTREG))."
At C:\temp\ACMEPowerShell\ACMEPowerShell-IIS\ACMEPowerShell-IIS.psm1:214 char:3
Line 214 (and then some)
$invArgs = @(
,$ci.Thumbprint
,$pfxTemp
,$null ## $pfxBytes
,$SNIRequired.IsPresent
,$Replace.IsPresent
,$webBindingArgs
,$sslBinding
)
$script.Invoke($invArgs)
-DB
The text was updated successfully, but these errors were encountered: