New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

V4 Beta test volunteers wanted #270

Closed
webprofusion-chrisc opened this Issue Mar 14, 2018 · 255 comments

Comments

Projects
None yet
@webprofusion-chrisc
Contributor

webprofusion-chrisc commented Mar 14, 2018

Interested in testing the new v4 release of the app with support for the ACME v2 API, wildcard certs, API credentials manager and a bunch of other UI changes?

If so, and you have a server to test on (backup any previous config using the instructions below), please try it out. Leave a comment here to be notified when new test versions are available. Thanks!


Update - 4.0 has now been released. (Updated 2018/07/25, V 4.0.4)

Alpha/Beta/RC Release Notes:

V4 is a major update, including:

  • Redesigned User Interface
  • New status info and preview tabs
  • Let's Encrypt v2 API including wildcard domain support (using the Certes library)
  • All 64-bit
  • DNS validation
    • Manual, Scripted or via API
    • DNS APIs Supported: Cloudflare, Azure, AWS Route53, GoDaddy, DnsMadeEasy, OVH, SimpleDNS, Alibaba Cloud DNS, Vote for other options.
  • Stored credentials: manage protected DNS API credentials for auto renewals
  • New certificate deployment options
  • Preset example scripts for Exchange, Remote Desktop Gateway etc.

Release Candidate 1 Updates

  • Fix important bug with AWS Route 53 DNS provider causing unintended deletes
  • Implement manual DNS notifications (optional)
  • Add new certificate cleanup process of expired certs created by the app
  • General bug fixes
  • Fix IDN certificate requests (regression)
  • Fix invalid deployment matches for wildcard and root domains if only using a wildcard domain
  • Minor UI updates

Beta 4 updates

  • Test of version auto update (hence 4.0.1)
  • Minor bug fixes
  • Fix issue preventing new cert UI showing
  • Work on issues related to running many http challenges
  • Updated Chinese (za-Han) translation contributed by @iccfish
  • New Japanese translation contributed by @haramizu

Beta 3 updates:

  • New Alibaba Cloud DNS provider (Aliyun) - user contributed! @TkYu
  • Custom propagation delay (pause before validation) in scripting DNS provider
  • Implement DNS challenge record cleanup
  • Implement multi-challenge website root path options
  • Skip config check tests during requests if no recent failures
  • Fix challenge validation issue combining wildcard domains with non-wildcard
  • Fix exception stopping http challenge server if already stopped
  • Fix error re-using Certes acme context
  • Fix renew-all logic for items not yet requested (CSV imports etc)

Beta 2 updates:

  • Lots of bug fixes & feature stablisation
  • New Dns Zone Lookup option for DNS APIs (makes finding your DNS zone id much easier!)
  • New SimpleDNS API provider (user contributed! @alphaz18 )
  • Multi-challenge UI updates
  • Other minor UI updates
  • Release for v4 is getting close!

Beta 1 updates:

  • Manual DNS validation option (doesn't yet send notification email but can do in the future)
  • Scripted DNS provider
  • New OVH DNS provider (user contributed! @laugel )
  • New UI for multi-challenge config, this is useful if you need one cert but need to use multiple challenge configurations (different DNS provider/settings, or mix of HTTP and DNS validation)
  • Experimental http challenge server, temporarily runs a port 80 server to compliment IIS etc, answering http challenges only.
  • Dynamic reallocation of background service port (when port already in use, configurable)
  • UI updates & bug fixes

Alpha 6 updates:

  • Fix for determining root domain of zone (subdomains)
  • Minor UI updates (validation), some accessibility labels
  • Add warning for Server 2008 R2 and lower regarding lack of SNI

Alpha 5 updates:

  • Fix for alpha 4 PFX corruption (certes update)
  • New deployment matching process (auto, single site, all sites, various matching options)
  • Preview UI updates & fixes
  • Minor CLI option updates
  • https://docs.certifytheweb.com

Alpha 4 updates:

  • Credentials editor updates & Test Option
  • GoDaddy DNS provider (contributed by @alphaz18 )
  • DnsMade Easy DNS Provider

Alpha 3 updates:

  • Fixes for Azure DNS provider
  • Fixes for Preview
  • DNS Check fixes
  • DNS propagation Pause mode
  • Additional checks for invalid wildcard/label mixes in cert request
  • Update quick start guide UI

Alpha 2 updates:

  • Significantly updated 'Preview' option UI
  • Updated deployment matching
  • New 'Test' results UI
  • new CSV import options
  • General bug fixes

Upgrading
If you have a previous install on the server you are testing on:

* Backup the folder C:\ProgramData\Certify before upgrading
* Uninstall the existing app using Add or Remove Programs
* Don't skip either of these steps

How to revert to the old version (current release):

* Uninstall the v4 alpha version
* Delete the C:\ProgramData\Certify folder
* Restore your back of C:\ProgramData\Certify folder
* Restart Windows
* Install the current release again

Known Issues:

The app is now 64-bit, so check if you have any dependency on 32-bit (scripting use etc). Old scheduled tasks will no longer work as they will point to the removed 32-bit version. Scheduled Tasks are no longer required for renewals.

Please report any bug you find as a new issue, please also check first if it's already been reported.

See also the informal product roadmap: https://github.com/webprofusion/certify/blob/development/docs/roadmap.md

Discussion Forum:
https://community.certifytheweb.com : note the forum does not use your certifytheweb.com dashboard account details if you have any, it has it's own set of usernames etc.

@johnabela

This comment has been minimized.

johnabela commented Mar 14, 2018

I am up for giving it a go. I currently have three certs setup and running on an EC2 server. I have three or four additional domains that I could test it out on/with, that I just have not made the switch away from my rappidssl certs yet, but could do so.

@webprofusion-chrisc

This comment has been minimized.

Contributor

webprofusion-chrisc commented Mar 14, 2018

Thanks, the alpha version should be happening in the next week or two. Pretty big changes!

@telamon4ebe

This comment has been minimized.

telamon4ebe commented Mar 14, 2018

hello, have some test domains which I would like to test with the v4 version.

@macBender

This comment has been minimized.

macBender commented Mar 15, 2018

I have an IIS server and suitable domain for wildcard testing.

@lankaapura

This comment has been minimized.

lankaapura commented Mar 15, 2018

👍

@genxlee

This comment has been minimized.

genxlee commented Mar 15, 2018

Interested

@pixelatedface

This comment has been minimized.

pixelatedface commented Mar 16, 2018

Would love to test this in our test environment running IIS, and hopefully move it to live once it's out of Alpha/Beta. Currently have a GoDaddy wildcard cert we'd like to get rid of.

@markive

This comment has been minimized.

markive commented Mar 18, 2018

Interested..

@webprofusion-chrisc

This comment has been minimized.

Contributor

webprofusion-chrisc commented Mar 18, 2018

Quick question to those interested in the beta:

  • Is anyone still running a 32-bit version of Windows (server, i.e. can we get rid of 32-bit support)?
  • Can everyone run the required (v4) minimum of .Net Framework 4.6.2?

Currently the new version target's .net 4.6.2 so that we can reference the latest versions of the IIS Administration APIs. I'm contemplating going 64-bit only so that people who use PowerShell scripts can expect a 64-bit environment by default.

@Tony1044

This comment has been minimized.

Tony1044 commented Mar 18, 2018

Hi Chris. Very interested in testing. All 64 bit here but if you ever needed, I could eat stand up a 32 bit server should you require it

@markive

This comment has been minimized.

markive commented Mar 18, 2018

Not running 32-bit but can handle latest version of .Net

@johnabela

This comment has been minimized.

johnabela commented Mar 19, 2018

I am running 64 and have 4.6.2 installed.

This was referenced Mar 19, 2018

@Jaggl-AT

This comment has been minimized.

Jaggl-AT commented Mar 19, 2018

I am also Interested... 👍

@webprofusion-chrisc

This comment has been minimized.

Contributor

webprofusion-chrisc commented Mar 19, 2018

Next question: if you use a cloud DNS provider (who have an API) which one do you use? Planning to target AWS Route 53, Azure and CloudFlare in this first release.

DNS validation (creating a random TXT record in your domains DNS zone) is required by Let's Encrypt in order to request wildcard certs, it's also useful if you can't do normal http-01 validation through port 80.

@markive

This comment has been minimized.

markive commented Mar 19, 2018

Cloudflare

@suckmyhardware

This comment has been minimized.

suckmyhardware commented Mar 20, 2018

I'm also interested :)

@Sebastian1989101

This comment has been minimized.

Sebastian1989101 commented Mar 20, 2018

I have two servers available for testing. Are there already more exact plans when the Alpha/Beta for v4 will arrive?

@webprofusion-chrisc

This comment has been minimized.

Contributor

webprofusion-chrisc commented Mar 20, 2018

@Sebastian1989101 It's only myself that regularly does any work on the app, and I have a day job as well, so it just gets done when there's time. v4 has a bunch of necessary UI changes as well as big changes to the internals and that has resulted in a lot of work to do. I'm at the stage where I'm fixing bugs and ironing out obvious issues, so it could be next week or later. We're coming into the Easter holiday period and I have family stuff on so that could delay things, but I'm hoping to start getting test versions out before then.

@Tony1044

This comment has been minimized.

Tony1044 commented Mar 20, 2018

Appreciate all of your hard work on it, Chris. I'm not a coder but have a bunch of servers running various things form Linux through various Windows versions so anything I can do to help test or iron out things just feel free to holler.

@djpbessems

This comment has been minimized.

djpbessems commented Mar 21, 2018

I'm willing to test as well.
Not using a cloud based DNS provider, just TransIP, who sadly only have a very clunky php-based API...

@webprofusion-chrisc webprofusion-chrisc added this to the v4 milestone Mar 22, 2018

@FlixSir

This comment has been minimized.

FlixSir commented Mar 22, 2018

I'm interested :)

I have some IIS servers and suitable domains for wildcard testing. The server are running on different verions of Windows Server. (2012,2012r2 and 2016)

This was referenced Mar 22, 2018

@luetze

This comment has been minimized.

luetze commented Mar 22, 2018

I'm interested I have some IIS running based on Win Server 2016.

@boscorelly

This comment has been minimized.

boscorelly commented Mar 22, 2018

Hi,

i can do this on 2012, 2012r2 and 2016

@mvanhalen

This comment has been minimized.

mvanhalen commented Jul 11, 2018

I have created a wildcard cert for an Azure website and used the Azure DNS plugin validation It all worked. Great stuff thanks! Way easier then working with the powershell scripts. Would be cool to have support for Azure Websites directly (Apply the cert) and an Azure webjob for the renewal (Auto update the Azuree website). Is this something I can help with?

@webprofusion-chrisc

This comment has been minimized.

Contributor

webprofusion-chrisc commented Jul 11, 2018

Update: expected release for v4 is late next week. A final release candidate will be made available with minor updates to try out before then.

@mvanhalen Thanks! Any help with support for Azure Websites would be great, please jump in and let's discuss what's required in #336

@ScottRFrost

This comment has been minimized.

ScottRFrost commented Jul 13, 2018

v4.0.1.40004 appears to have an issue with Route 53 DNS plugin.

It will work if I have to manually create a _acme-challenge.domain.com TXT record before I attempt it, because if I don't I get DNS problem: NXDOMAIN looking up TXT for _acme-challenge.domain.com. If I don't create it, and I refresh Route 53's record view I can't see the record while we're on the "waiting 60 seconds...." step, so it's definitely not creating it. Worse still, some times when it fails and it tries to delete the TXT record that isn't there it deletes one of my other A records instead!!

Here is a log of the most recent such failure. I tried everything to get it to work, but the only thing that seems to fix it is creating the TXT record prior to doing the challenge.

@webprofusion-chrisc

This comment has been minimized.

Contributor

webprofusion-chrisc commented Jul 14, 2018

@ScottRFrost thanks for reporting this, the route53 provider has been working OK which suggests there is an edge case here. Is the domain a subdomain or the root level domain for your zone? I'll review the delete behaviour as it should be impossible for us to delete an A record in any circumstances.

@ScottRFrost

This comment has been minimized.

ScottRFrost commented Jul 15, 2018

I tried uninstalling and reinstalling the app, creating new AWS IAM credentials, etc.

The only way I was able to get it to work was creating the TXT record ahead of time. I'd be happy to run a build that can provide additional logs / do a GoToMeeting etc. Email me at my GitHub username @ gmail.com.

@webprofusion-chrisc

This comment has been minimized.

Contributor

webprofusion-chrisc commented Jul 16, 2018

@ScottRFrost thanks, I'll email you for more info, I think there's likely something else affecting this regarding your particular domain's DNS configuration.

@jerbasco1

This comment has been minimized.

jerbasco1 commented Jul 16, 2018

I'm actually having a similar issue with route 53 and v4.0.1.40004. PM for more info.

2018-07-10 13:49:36.439 -07:00 [INF] Beginning Certificate Request Process: psconsult using ACME Provider:Certes
2018-07-10 13:49:36.440 -07:00 [INF] Registering Domain Identifiers
2018-07-10 13:49:37.466 -07:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/xxx
2018-07-10 13:49:37.628 -07:00 [VRB] Fetching Authorizations.
2018-07-10 13:49:37.754 -07:00 [VRB] Fetching Authz Challenges.
2018-07-10 13:49:38.094 -07:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/challenge/xxx
2018-07-10 13:49:38.259 -07:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/challenge/xxx
2018-07-10 13:49:38.260 -07:00 [INF] Attempting Domain Validation: xxx.xxx.xxx.xxx
2018-07-10 13:49:38.260 -07:00 [INF] Registering and Validating xxx.xxx.xxx.xxx 
2018-07-10 13:49:38.260 -07:00 [INF] Performing automated challenge responses (xxx.xxx.xxx.xxx)
2018-07-10 13:49:38.265 -07:00 [INF] DNS: Creating TXT Record '_acme-challenge.xxx.xxx.xxx.xxx' with value 'xxx', in Zone Id '/hostedzone/xxx' using API provider 'Amazon Route 53 DNS API'
2018-07-10 13:49:38.913 -07:00 [INF] DNS: Amazon Route 53 DNS API :: Dns Record Created: _acme-challenge.xxx.xxx.xxx.xxx
2018-07-10 13:49:38.914 -07:00 [INF] Requesting Validation from Let's Encrypt: xxx.xxx.xxx.xxx
2018-07-10 13:50:39.740 -07:00 [INF] Attempting Challenge Response Validation for Domain: xxx.xxx.xxx.xxx
2018-07-10 13:50:39.740 -07:00 [INF] Registering and Validating xxx.xxx.xxx.xxx 
2018-07-10 13:50:39.741 -07:00 [INF] Checking automated challenge response for Domain: xxx.xxx.xxx.xxx
2018-07-10 13:50:40.430 -07:00 [INF] DNS problem: NXDOMAIN looking up TXT for _acme-challenge.xxx.xxx.xxx.xxx
2018-07-10 13:50:41.235 -07:00 [INF] DNS: Deleting TXT Record '_acme-challenge.xxx.xxx.xxx.xxx', in Zone Id '/hostedzone/xxx' using API provider 'Amazon Route 53 DNS API'
2018-07-10 13:50:41.685 -07:00 [INF] Validation of the required challenges did not complete successfully. DNS problem: NXDOMAIN looking up TXT for _acme-challenge.xxx.xxx.xxx.xxx
2018-07-10 13:50:41.685 -07:00 [INF] Validation of the required challenges did not complete successfully. DNS problem: NXDOMAIN looking up TXT for _acme-challenge.xxx.xxx.xxx.xxx
@jerbasco1

This comment has been minimized.

jerbasco1 commented Jul 16, 2018

I was wondering if the package updates commit would help...was waiting to test it in the RC.

1590897

@ScottRFrost

This comment has been minimized.

ScottRFrost commented Jul 17, 2018

Minor feature request that might help: Log the Message response from DeleteRecord to the log file.

@boscorelly

This comment has been minimized.

boscorelly commented Jul 18, 2018

I think having a staging mode will be great to avoid rates limits.
CA="https://acme-staging-v02.api.letsencrypt.org/directory"

@webprofusion-chrisc

This comment has been minimized.

Contributor

webprofusion-chrisc commented Jul 18, 2018

@boscorelly if we're hitting rate limits under normal use then we're doing something wrong and we should fix that or help you get a resolution without spamming the Let's Encrypt API. There are a couple of open issues requesting staging API use (#337 #247 #162) - if anyone would like to try submitting a PR it would be welcome, it's more than just changing the API url so happy to discuss in one of the other issues).

@boscorelly

This comment has been minimized.

boscorelly commented Jul 18, 2018

i understand.
when trying to make exchange script working, i may reach the limits. And basically, when developping a script it's easy to reach the limit :(

@webprofusion-chrisc

This comment has been minimized.

Contributor

webprofusion-chrisc commented Jul 19, 2018

@boscorelly yes, sounds like we need an option to re-run the post-request script (and the deployment step) on demand, we currently have an option to re-deploy the script but it doesn't include the post-request script. I'll create a new issue.

@webprofusion-chrisc

This comment has been minimized.

Contributor

webprofusion-chrisc commented Jul 21, 2018

V4 Release Candidate 1 is out now. Link at the top of this discussion.

@silverbacknet

This comment has been minimized.

silverbacknet commented Jul 23, 2018

I submitted the error, a full application crash, but I'll post here too:

An error occurred: Certify.Client.ServiceCommsException: Internal Service Error: managedcertificates/search/: {"Message":"No HTTP resource was found that matches the request URI 'http://localhost:9696/api/managedcertificates/search/'.","MessageDetail":"No type was found that matches the controller named 'managedcertificates'."}
   at Certify.Client.CertifyServiceClient.<PostAsync>d__26.MoveNext()

System is Server 2012 R2 with IIS7. I removed the port 80 bindings since I don't need them (this is for Exchange); no error when I add them back in.

I've been able to make other servers work fine, but this one just stubbornly refuses to do anything but 403, so I was hoping the new built-in webserver would fix it and bypass IIS stupidity.

@webprofusion-chrisc

This comment has been minimized.

Contributor

webprofusion-chrisc commented Jul 23, 2018

@silverbacknet hmm, can you make sure that the old version of certify was uninstalled (uninstall the app and make sure the Certify SSL Manager service is no longer running, then reinstall 4.x) -this looks a little like the new version of the UI is still talking to the old version of the sevice.

@jerbasco1

This comment has been minimized.

jerbasco1 commented Jul 23, 2018

RC fixed my aws dns verification issues!

@silverbacknet

This comment has been minimized.

silverbacknet commented Jul 23, 2018

Hmm. I can confirm files were left in the old folder after uninstallation, but the service running is definitely the v4 64-bit version. May I ask how you were able to get the http test working without interrupting port 80 in IIS? That's rather interesting. I can confirm it issues the certificates perfectly in that case.

@ScottRFrost

This comment has been minimized.

ScottRFrost commented Jul 23, 2018

V4 RC1 fixes my AWS Route53 DNS verification as well as the issue where it was trying to apply the *.domain.com wildcard cert to my domain.com binding. Thank you!

@webprofusion-chrisc

This comment has been minimized.

Contributor

webprofusion-chrisc commented Jul 24, 2018

@silverbacknet if you are still having trouble please email support {at} certifytheweb.com with a screenshot or log etc of the error and we'll go from there. Regarding the http challenge server, it works by attempting to temporarily add an http listener via http.sys, which is specific to the /.well-known/acme-challenge path that https validation work on. Other less specific paths will continue to be routed to IIS as normal. If you use other non-http.sys aware servers (like apache) then we fall back to the normal method.

@silverbacknet

This comment has been minimized.

silverbacknet commented Jul 24, 2018

I think it might've been down to my removing all port 80 bindings in IIS, thinking that would be necessary for the new certify's webserver, since I didn't realize there was some awesome networking black magic going on under the hood. I can't replicate the crash even by unbinding port 80 now, though, so who knows, it could be anything due to the upgrade. It definitely works 100% now.

@webprofusion-chrisc

This comment has been minimized.

Contributor

webprofusion-chrisc commented Jul 25, 2018

Thanks to everyone who tried out the alpha, beta and release candidate versions for all your feedback and testing. V4 (4.0.4) has now been released. For any unresolved issues or new bugs you find please create a new issue or update existing issues. Thanks again for everyone's help.

@tvanassche

This comment has been minimized.

tvanassche commented Jul 25, 2018

@Tony1044

This comment has been minimized.

Tony1044 commented Jul 25, 2018

@greatmohsen

This comment has been minimized.

greatmohsen commented Jul 25, 2018

i got this error on download link:

NoSuchKey The specified key does not exist. downloads/CertifyTheWebSetup_V4RC1.exe D723491815A981B9 IVJulMuKzsFX61rotHMXEijPZ2LQAAxp2KJtTrNwucFCXMNs1dV1nWAeiFMbXP1yAKY6nrhlcw0=
@Tony1044

This comment has been minimized.

Tony1044 commented Jul 25, 2018

@webprofusion-chrisc

This comment has been minimized.

Contributor

webprofusion-chrisc commented Jul 25, 2018

@greatmohsen thanks, the release candidate is no longer available to download, I'll remove the link above.

@boscorelly

This comment has been minimized.

boscorelly commented Aug 20, 2018

Hi,

i just want to say i have tried the v4 for the first time a few days ago. And what i want to say is "amazing" !
It's doing more than the v3 (whitout regarding wildcard certs).

Thanks a lot !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment