Unable to store certificate: Access is denied.

[bret-miller]

Running on Windows Server 2019 with IIS, creating a new certificate fails to store the certificate so automatic renewals do not happen.

To Reproduce

1. File Explorer to C:\Program Files\WinAcme
2. Right click on wacs.exe, "Run as administrator"
3. n (new certificate simple for IIS)
4. 1422078766 (the site ID)
5. Enter (select all bindings)
6. 2 (select second binding as common name)
7. y (continue with selection)
8. See error

Expected behavior
Expected it to authorize, request a new certificate, apply it to all appropriate bindings, and schedule it for renewal

Log
[INFO] Target generated using plugin IIS: swupd2019.hq.gci.org and 1 alternatives
[INFO] Authorize identifier: swupd.hq.gci.org
[INFO] Cached authorization result: valid
[INFO] Authorize identifier: swupd2019.hq.gci.org
[INFO] Cached authorization result: valid
[INFO] Requesting certificate [IIS] site 1422078766 (any host)
[INFO] Store with CertificateStore...
[INFO] Installing certificate in the certificate store
[INFO] Adding certificate [IIS] site 1422078766 (any host) 2020/1/15 9:09:47 to store WebHosting
[EROR] Error saving certificate to intermediate store
[EROR] (WindowsCryptographicException) Unable to store certificate: Access is denied.
[EROR] Create certificate failed: Store failed: Access is denied.

Platform:

• OS: Windows Server 2019 Standard, English
• Version: 2.1.2.641 (RELEASE, UNPLUGGABLE)

[WouterTinus]

Hi @bret-miller, would you please run certlm.msc and check if you have a certificate store called "Intermediate Certification Authorities" on your system? I've not seen this exception before but I could see the code failing that way if it didn't exist.

[bret-miller]

Hi @WouterTinus, I ran it and found that it does exist. So I'm guessing "Access is denied." is the clue here. Do you have any idea how to update the permissions? I guess I can try to Google it...

[WouterTinus]

It's mysterious why you wouldn't be able to access this store as an administrator. Strangly the error doesn't occur when opening the store, but when adding the certificate. That might just mean that the framework doesn't actually open the store until it's used, but maybe also that the add call fails (trying to overwrite something that is restricted? some group policy?)

In any case I think it shouldn't be a fatal exception. The next release at least shouldn't crash on it anymore. You might end up with a broken certificate chain though, but that can be worked around by installing Let's Encrypt's intermediate certificate manually.

[bret-miller]

Thank you. Perhaps you're right about overwriting something. The certificate is already there. At least if doesn't crash, it'll renew properly with the scheduled job rather than requiring manual intervention.

[WouterTinus]

Interesting, did you add that yourself or was that done by the program (or a previous version?)

Is there maybe another admin account using the system that used the program?

[bret-miller]

There are multiple admin accounts and it's possible it could have been a different account. I don't think I added it manually.

[bret-miller]

I deleted the intermediate certificate that was causing the error and reissued the certificates on this server. That got me around the error. I've also updated the user on the scheduled task to match the user that created the certificates.

[WouterTinus]

It must have been a permission issue then, but I've never seem something like that before. Anyway I'm glad you were able to resolve it!

[jata2717]

wacs.exe no tiene permisos para guardar certificados en la carpeta de Entidades de certificación raíz de confianza y da error

[jata2717]

wacs.exe No se puede almacenar el Certificado acceso denegado. Me podrían ayudar a resolver este problema

[ourdark]

I have the same issue, resolved by remove all files in programdata\win-acme and re-import renewals.
It seems like I've import them with 2.0.8 and current is 2.1.17

[douglassimaodev]

O used an older version and worked fine, latest win-acme.v2.2.2.1447.x64.pluggable has a bug....

[kaellau]

I think the latest version win-acme.v2.2.2.1447.x86.pluggable.zip has bug.

While a version before (win-acme.v2.2.1.1434.x64.pluggable.zip)

[LeeThompson]

I got this too. PEM export worked fine however and that's my primary method.

[WouterTinus]

For anyone running into this, please share the disk log from %ProgramData%\win-acme as it shows much more detail than the screen log.

[kaellau]

Hope this helps.

2023-03-13 10:29:33.601 +08:00 [VRB] Processing order 1/1: Main
2023-03-13 10:29:33.602 +08:00 [VRB] Autofac: creating PluginBackend scope with parent PluginBackend
2023-03-13 10:29:33.606 +08:00 [VRB] W3SVC detected and running
2023-03-13 10:29:33.606 +08:00 [VRB] No FTPSVC detected
2023-03-13 10:29:33.612 +08:00 [DBG] Certificate store name: WebHosting
2023-03-13 10:29:33.613 +08:00 [INF] Store with CertificateStore...
2023-03-13 10:29:33.615 +08:00 [DBG] Re-opening certificate with flags "MachineKeySet, PersistKeySet"
2023-03-13 10:29:33.638 +08:00 [DBG] Converting private key...
2023-03-13 10:29:33.640 +08:00 [ERR] (CryptographicException) Unable to store certificate: The requested operation is not supported.
2023-03-13 10:29:33.640 +08:00 [DBG] Exception details: {"TargetSite":"Boolean ExportPkcs8KeyBlob(Boolean, Microsoft.Win32.SafeHandles.SafeNCryptKeyHandle, System.ReadOnlySpan1[System.Char], Int32, System.Span1[System.Byte], Int32 ByRef, Byte[] ByRef)","Message":"The requested operation is not supported.","Data":[],"InnerException":null,"HelpLink":null,"Source":"System.Security.Cryptography","HResult":-2146893783,"StackTrace":" at System.Security.Cryptography.CngKey.ExportPkcs8KeyBlob(Boolean allocate, SafeNCryptKeyHandle keyHandle, ReadOnlySpan1 password, Int32 kdfCount, Span1 destination, Int32& bytesWritten, Byte[]& allocated)\r\n at System.Security.Cryptography.RSACng.TryExportEncryptedPkcs8PrivateKey(ReadOnlySpan1 password, PbeParameters pbeParameters, Span1 destination, Int32& bytesWritten)\r\n at System.Security.Cryptography.CngPkcs8.RewriteEncryptedPkcs8PrivateKey(AsymmetricAlgorithm key, ReadOnlySpan1 password, PbeParameters pbeParameters)\r\n at System.Security.Cryptography.RSACng.ExportEncryptedPkcs8PrivateKey(ReadOnlySpan1 password, PbeParameters pbeParameters)\r\n at PKISharp.WACS.Plugins.StorePlugins.CertificateStoreClient.ConvertCertificate(X509Certificate2 original, X509KeyStorageFlags flags)\r\n at PKISharp.WACS.Plugins.StorePlugins.CertificateStore.Save(ICertificateInfo input)\r\n at PKISharp.WACS.OrderProcessor.HandleStoreAdd(OrderContext context, ICertificateInfo newCertificate, List1 stores, Dictionary2 storeInfo)","$type":"CryptographicException"}
2023-03-13 10:29:44.149 +08:00 [VRB] Autofac: creating Execution scope with parent wacs
2023-03-13 10:29:44.149 +08:00 [VRB] Autofac: creating PluginBackend scope with parent Execution
2023-03-13 10:29:44.151 +08:00 [VRB] W3SVC detected and running
2023-03-13 10:29:44.151 +08:00 [VRB] No FTPSVC detected

[DoraemonYu]

I confronted the same problem after upgrade. My logs is same as 12e1121's above.

My environments:

• win-acme version: win-acme.v2.2.2.1447.x64.trimmed
• OS: Windows Server 2016 DataCenter, x64
• WebServer: IIS

---

Unexpected discovery,
When I change the bool value from false(default value) to true of **PrivateKeyExportable** in the settings.json file, it just seem work agian!
Maybe some adjustments for the related logic cause this result in this version.

Hope these informations would give you some idea :)

[WouterTinus]

Thanks for all the input! With your help I was able to quickly find the issue and fix it. I've just created a new release 2.2.2.1 that contains the fix.