New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Renewal / Revoke #57

Open
joachimcarrein opened this Issue Dec 10, 2015 · 24 comments

Comments

Projects
None yet
@joachimcarrein

joachimcarrein commented Dec 10, 2015

The certificates I got are currently 3 months valid. So I tried to find how to do renewals, but didn't find how to do this. I guess the only was is to create a new identifier with a new alias?

Same thing if I would want to revoke the certificate.

Would there be a way to increase the validity?

@ebekker

This comment has been minimized.

Owner

ebekker commented Dec 10, 2015

Revokes and renewals are not implemented yet, but yes that will be included.

Validity is mostly controlled by LE at this point, they've said they plan on issuing 90-day certs and recommend everyone renews at 60 days. This is regardless of what the requested lifetime of the cert is.

I hope to have renewals in place within that time, working on some infrastructure changes now that will make adding this easier.

@joachimcarrein

This comment has been minimized.

joachimcarrein commented Dec 10, 2015

Great,
Thanks for the feedback

@nbevans

This comment has been minimized.

nbevans commented Jan 29, 2016

Are renewals implemented yet? Also will the challenge need to be updated on the DNS/HTTP during a renewal? Thanks

@ebekker

This comment has been minimized.

Owner

ebekker commented Jan 30, 2016

No renewals yet. All verified Identifiers have an explicit expiration date when they will need to be re-Challenged and verified. I believe the verification lasts a year or so, and certs are issued for 90 days, so the first few renewals will not necessarily need to be re-verified, but eventually, yes they will need to be updated.

@hmatt843

This comment has been minimized.

hmatt843 commented Feb 24, 2016

ebekker, I'm using Windows Server 2012 R2 and IIS. I used ACMESharp to get a LetsEncrypt certificate for my site, and it worked great, but now I need to revoke it. Is the only way to revoke it really to install Linux on the machine? What are my options? Please help.

@tschmit

This comment has been minimized.

tschmit commented Mar 9, 2016

any update according renewal ?
thank you for all

@oekarlsson

This comment has been minimized.

oekarlsson commented Apr 9, 2016

I have started an implementation of support for Let's Encrypt certificates in the MSPControl control panel (http://www.mspcontrol.org) using the ACMESharp Powershell modules. It's working, but we eventually need renew for this to be complete. What is the current status of plans for renew support in the Powershell modules?

@skfd

This comment has been minimized.

skfd commented Apr 12, 2016

What is the current workaround for renewal?

@ebekker

This comment has been minimized.

Owner

ebekker commented Apr 20, 2016

You can simply request a new certificate using the same DNS name as before. If your Identifer (DNS name) has been previously Challenge-approved in less than 12mos (which of course is true for everyone since the LE project is not that old yet), then you don't even have to complete the Challenge again, simply make another cert request for the same domain.

LE will happily issue multiple certs for the same domain name over and over again. Once you get the new cert, you simply replace your old one with the new one in your software (i.e. IIS or whatever you're installing it into).

@colinramsay

This comment has been minimized.

colinramsay commented Apr 20, 2016

This was incorrect, at least in the beta. There's a rate limit on the number of times you can do this. Either way, it doesn't solve revocation.

On 20 Apr 2016, at 21:42, Eugene Bekker notifications@github.com wrote:

You can simply request a new certificate using the same DNS name as before. If your Identifer (DNS name) has been previously Challenge-approved in less than 12mos (which of course is true for everyone since the LE project is not that old yet), then you don't even have to complete the Challenge again, simply make another cert request for the same domain.

LE will happily issue multiple certs for the same domain name over and over again. Once you get the new cert, you simply replace your old one with the new one in your software (i.e. IIS or whatever you're installing it into).


You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub

@ebekker

This comment has been minimized.

Owner

ebekker commented Apr 21, 2016

Correct, neither revocation nor renewal are handled yet.

The original rate limit allowed you to do this 5 times in a 7 day period, and if you're just trying to renew a cert that expired in the default time period, that would mean every 90 days, so that is usually not an issue, but I don't know your situation, it may be a genuine problem. Incidentally, they bumped that limit up to 20 as they exited beta.

@sirrus

This comment has been minimized.

sirrus commented Jul 24, 2016

Sorry - don't get me wrong - but this a pain in the ass... ACMESharp-POSH is the best and only solution for Windows 2008 with Exchange (multidomain certs). But the renewal is a pain.

And I can't use the same name when I try to do: New-ACMECertificate dns1 -Generate -AlternativeIdentifierRefs... - Alias multiNameCert

It says there is already an element with the same name.

Regards,
Andreas

@Krummelz

This comment has been minimized.

Krummelz commented Jul 29, 2016

@ebekker I suggest that you write in big bold letters at the top of your main Readme.md, that the renewals are still a work-in-progress, and which work-arounds can be followed.

You can simply request a new certificate using the same DNS name as before...

I tried your entire Quick-Start process from step 3 onward, but I receive error messages for most of them:

New-ACMERegistration? No error. Returns the PublicKey, ReoveryKey, etc. as normal
New-ACMEIdentifier? An item with the same key has already been added.
Complete-ACMEChallenge? No error. Returns same as normal with status = valid
Submit-ACMEChallenge? challenge has not been decoded
Update-ACMEIdentifier? No error. Returns same as normal with status = valid.
New-ACMECertificate? An item with the same key has already been added.
Submit-ACMECertificate? asset file already exists

So I try Get-ACMECertificate, export it to Pkcs12 for IIS, replace the old certificate, and upon viewing it, the validity period is exactly the same as the old certificate.

My concern here is that we switch our systems over to full SSL, and when the various certificates expire after 90 days and everything falls over, we're out of business. In the mean time we hurry to switch SSL off again or attempt to "renew" certificates - which actually cannot be done yet.

Could you shed some light on the error messages? Can you also please be specific about the renewal process workaround and which commands one can expect to use?

@stev-0

This comment has been minimized.

stev-0 commented Aug 1, 2016

This is a good video, which might help to explain: https://www.youtube.com/watch?v=hXKOBKjWhV8&feature=youtu.be

@swinster

This comment has been minimized.

swinster commented Feb 1, 2017

I don't suppose there has been any further movement on renewals? I note that Win-simple has this feature but although I am using Windows (amongst other hosts), we don't actually use IIS, so need to renew the cert in the machine store.

@AHandless

This comment has been minimized.

AHandless commented Feb 12, 2017

@swinster actually there is no renew method in ACME protocol. If you request a new certificate for a domain you requested certificate for before, this new certificate is considered a renewal.
https://tools.ietf.org/html/draft-ietf-acme-acme-04#section-6.4.2

A certificate resource represents a single, immutable certificate. If the client wishes to obtain a renewed certificate, the client initiates a new application process to request one.

This action is subject to Duplicate Certificate limit which is 5 per week per domain. So you can create a script that just uses the New-ACMECertificate cmdlet and call it "Renew-ACMECertificate".

@ebekker

This comment has been minimized.

Owner

ebekker commented Feb 13, 2017

The early versions of the ACME protocol actually did account for optional support by the CA for renewals and many moons ago, when an Identifier validation (i.e. a validated DNS name) actually lasted more than a couple of months, it was possible to perform a true renewal, but because that was not necessary to support a working ACME client, it was not initially implemented.

Just as @AHandless indicated, as the ACME spec has evolved, they actually simplified this area and eliminated the renewal support in the protocol, and likewise the actual LE CA implementation shortened the life of an Identifier validation period so that it expires after only a couple of months. Since the validation period is now shorter than the life of an issued certificate, it effectively requires that you re-validate each time you renew your certificate.

(In retrospect, it was a good thing that true renewals were not implemented as that would have been wasted work since it's no longer supported or allowed.)

Renewals are now exactly the same as new requests. You need to validate the Identifier (i.e. the DNS name) with each renewal just as the new request, and then you need to request a new certificate with the validated Identifier. There are numerous references in tickets and the wiki that point you to other folks' work that simplifies this process, either manually through video tutorials or even scripts that will automate this for you.

I do eventually plan on adding native support to the ACMESharp tools to make this process easier, but there is lots of community-provided support already there to make it usable.

@masbicudo

This comment has been minimized.

masbicudo commented Feb 17, 2017

I am trying to revalidate the domain as you suggested. When using CompleteChallenge, I use Force and Regenerate flags, but the challenge is the same as the previously already validated one (same key and same well-known path). Then I call SubmitChallenge, also with Force. Do I need to complete challenge again? Or just calling SubmitChallenge is enough?

@ebekker

This comment has been minimized.

Owner

ebekker commented Feb 24, 2017

You need to execute Complete-Challenge again.

@mamama1

This comment has been minimized.

mamama1 commented Apr 2, 2017

To sum things up - you are saying, that after about 60 days, when the certificate is about to expire within the next 30 days, I have to revalidate my ACMEIdentifier to request a renewal certificate, right?

So to accomplish this, I won't do "New-ACMEIdentifier" again, because I already have one, right?
I'll do

  1. Complete-ACMEChallenge "myAlias" -ChallengeType whatever -Handler whatever
  2. do whatever needs to be done for the challenge to be successful (dns entry or whatever)
  3. Submit-ACMEChallenge "myAlias" -ChallengeType whatever
  4. wait until status is valid
  5. Request new Certificate using New-ACMECertificate and Submit-ACMECertificate as usual

Did I miss something or is this right now the way to go to renew certificates?
I have finished automating the request of new certs using DNS challenge (my DNS offers an XML interface I can use with "Invoke-WebRequest") and now I'd like to finish automatic renewal.

thanks

@ebekker

This comment has been minimized.

Owner

ebekker commented Apr 2, 2017

Read my comments above -- there is really no longer any distinct renewal* operation because of the current expiration times, so you need essentially need to start with the very beginning of the process (except for the account registration) every time, so begin with New-ACMEIdentifier. You can't issue Complete-ACMEChallenge with being presented with a set of challenges which is what New-ACMEIdentifier does.

@mamama1

This comment has been minimized.

mamama1 commented Apr 2, 2017

so we end up creating new identifiers with some random GUIDs appended every ~60 days?
isn't this kind of crappy? is this desired by ACME or just work in progress by ACMESharp?

@JohnLBevan

This comment has been minimized.

JohnLBevan commented Sep 12, 2017

Should it help others, here's a couple of blog posts by @mcdurdin with scripts for "renewing" identifiers & certificates for a cert used by IIS:

@angelperezleon

This comment has been minimized.

angelperezleon commented Sep 19, 2017

Just throwing my weight behind this too.
Posted else where and think this is the best place to get answer on the issue of renewing ACMESharp generated Exchange 2016 certificates.
Please advis eon a working .ps1 script we can use to re-validate an existing cert due to expire.

Currently getting:

New-ACMEIdentifier : An item with the same key has already been added.

as per my post here: https://community.letsencrypt.org/t/le-acme-exchange-ps1-exchange-2016-renewal-issues-part-2/42543
& here #294

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment