letsencrypt.exe installs cert pfx into IIS but crashes doing the binding

[amlynnworth]

I tested on Win2012 server, and everything went perfectly until I said 'Y' to adding the binding automatically. Screenshot attached to show the error message. It's possible that I already had something in IIS for port 443 for the domain in question before starting, I'm not 100% sure.

Note 'Bryan' in some of the user paths in the screenshot - that is not anyone on my system.

The certificate (PFX) itself is listed as a valid certificate for the server. Probably due to the crash, when I try to manually finish the binding, after selecting the cert and clicking [ok] in IIS manager, I get this error: "Edit Site Binding: There was an error while performing this operation. Details: A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)." Just FYI.

Overall, the program is much easier to use for me than 4 days ago.

One small suggestion: if you can add a manifest to letencrypt.exe to require elevated permission, it'll be even simpler to run - no need to explicitly run as admin.

[Bryan-Legend]

Good idea with the manifest. I'll get that done.

I thought I had fixed the error your seeing with the 1.0 build that I released yesterday. Can you confirm you're using the latest release.

As a workaround to the problem you can manually add an https binding in IIS manager. The error doesn't seem to happen when it updates a binding, just on creating a new one.

[Bryan-Legend]

It might be this problem:

http://blogs.msdn.com/b/varunm/archive/2013/06/18/bind-multiple-sites-on-same-ip-address-and-port-in-ssl.aspx

[matbech]

I'm getting the same error with version 1.0

Do you want to add/update an https IIS binding? (Y/N)
 Updating Existing https Binding
 Commiting binding changes to IIS

Unhandled Exception: System.ComponentModel.Win32Exception: A specified logon ses
sion does not exist. It may already have been terminated
   at Microsoft.Web.Management.Utility.HttpApiWrapper.CreateSSLBinding(IPEndPoin
t endPoint, String hostName, HTTP_SERVICE_CONFIG_SSL_PARAM_MANAGED allSSLData, S
slFlags sslFlags)
   at Microsoft.Web.Management.Utility.HttpApiWrapper.CreateSSLBinding(IPEndPoin
t endPoint, String hostName, Byte[] certificateHash, String certificateStoreName
, SslFlags sslFlags)
   at Microsoft.Web.Administration.BindingManager.BindingTransaction.Commit()
   at Microsoft.Web.Administration.BindingManager.Save()
   at Microsoft.Web.Administration.ServerManager.CommitChanges()
   at LetsEncrypt.ACME.Simple.Program.ConfigureBinding(TargetBinding binding, X5
09Store store, X509Certificate2 certificate) in C:\Users\Bryan\Documents\letsenc
rypt-win-simple\letsencrypt-win-simple\Program.cs:line 281
   at LetsEncrypt.ACME.Simple.Program.Auto(TargetBinding binding) in C:\Users\Br
yan\Documents\letsencrypt-win-simple\letsencrypt-win-simple\Program.cs:line 248
   at LetsEncrypt.ACME.Simple.Program.Main(String[] args) in C:\Users\Bryan\Docu
ments\letsencrypt-win-simple\letsencrypt-win-simple\Program.cs:line 175

[Bryan-Legend]

Do you already have a different https binding setup on the same IP address?

[amlynnworth]

@lone-coder: There is nothing else bound to https on this particular server, no conflicts.
I tried removing the server cert, rebooting, and putting everything back in manually and I still ended up with that message about the specified logon session not existing.
Did the presence of 'Bryan' make any sense to you in that screenshot - look at the paths under \users\ ?? Does that have something to do with why Windows thinks another logon session made the cert and it is not generally available for use on the server?
I had downloaded the files to test ~30-60 minutes before posting my message, so they should have been "latest." The file properties on letsencrypt.exe showed product version 1.0 and file version 0.0.0.0.

[Bryan-Legend]

I've found the problem and will be creating a new build soon. The certs are
not getting placed into the certificate store correctly so they are not
actually usable in the current build.

Yes. I'm Bryan. The paths shown are debug info to line numbers in the
source code on my computer where I compiled the program.

On Sat, Nov 14, 2015 at 4:30 PM, amlynnworth notifications@github.com
wrote:

@Long-Coder There is nothing else bound to https on this particular
server, no conflicts.
I tried removing the server cert, rebooting, and putting everything back
in manually and I still ended up with that message about the specified
logon session not existing.

Did the presence of 'Bryan' make any sense to you in that screenshot -
look at the paths under \users\ ??
I had downloaded the files to test ~30-60 minutes before posting my
message, so they should have been "latest." The file properties on
letsencrypt.exe showed product version 1.0 and file version 0.0.0.0.

—
Reply to this email directly or view it on GitHub
#2 (comment)
.

[Bryan-Legend]

Okay. This should be fixed now. Give the new 1.1 release a try.

Man that was some really bad error messages coming from Microsoft. I was getting the same errors in IIS manager. Only clue I found was in the event viewer.

[Sitting-Duc]

Certificates are now being added correctly to the 'Server Certificates' and also to the website bindings.

Do you have something in place to remove old certificates after they have expired? I have not delved into the source code yet.

[Bryan-Legend]

I don't think I'll ever delete old certs. We have no guarantee they still aren't being used somewhere.

I did start adding timestamps to the names so that we can tell them apart better.

[amlynnworth]

@lone-coder Wow! Version 1.1 worked perfectly and very quickly for me.
I ended up ticking the box in IIS Manager on the site bindings for [x] require sni. I noticed it entered a binding for the ip number with no hostname. How will that work out if one uses the client to make multiple certs on a single machine, and they all need to be on 1 ip but in different IIS Sites?
Thank you very much for all your efforts.

[amlynnworth]

Second test of 1.1 was a little trickier but worked in the end.
IIS kept crashing, trying to respond with the challenge file over http. I resolved that by removing the MIME type definition for .* at the top for all sites (done manually, previously, before v1.0), so then there was only 1 override via web.config in the .well-known/acme-challenge folder. I also changed the definition to application/json which showed up better for me in Firefox when I was testing. After that, it worked fine.
One suggestion, if there is a fatal error (such as challenge fails), it would be good to add some kind of press-key-to-continue pause because the error text is only visible if you ran from a cmd prompt initially. If you just right-click run-as-admin on letsencrypt.exe, the exe just exits with no chance to read the detailed error message.

[amlynnworth]

Third test, this time on a Win8.1 system: perfect. It took longer to download and unzip than to request the cert and confirm it was working. i.e. super easy. Great work.

[Bryan-Legend]

Hi @amlynnworth, thanks for the great feedback.

I've added a prompt to handle crashes better. Will be nice if renews fail to pop up and wait so user can know.

On the mime type. I've mostly convinced the ACME team to switch to .txt files to avoid that problem and others. Not sure when server change will happen.

Also, I'm checking the SNI box by default now on IIS 8.

[riipah]

FYI I just got this error with 1.6. "System.ComponentModel.Win32Exception (0x80004005): A specified logon session does not exist. It may already have been terminated". I do have more than one site in the same IP/port, but I'm using SNI so it should be fine.

Anyway, I was able to make the certificate work by binding it manually in IIS manager, so the tool helped.

[Bryan-Legend]

@riipah Can you check the event viewer for more info when that error hit? Also, what version of IIS are you running?

[riipah]

Sorry, I can't find anything relevant in the event viewer (I checked IIS logs as well). IIS version is 8.5 (WinServer 2012 R2).

I did save the console output. The last lines are:

 Opening Certificate Store "WebHosting"
 Loading .pfx
 Adding Certificate to Store
 Closing Certificate Store
 Updating Existing https Binding
 Commiting binding changes to IIS
System.ComponentModel.Win32Exception (0x80004005): A specified logon session does not exist. It may already have been terminated

[amlynnworth]

I saw that same error "A specified logon session does not exist. It may already have been terminated" with v1.6 yesterday. My test was on an IIS site on Win2012 server that already had a cert in place. I was able to switch to the new LetsEncrypt cert manually without any further problems.

[Bryan-Legend]

What cert store was the old cert placed in? I'm wondering if changing cert
stores caused the problem.

On Wed, Dec 2, 2015 at 5:13 PM, amlynnworth notifications@github.com
wrote:

I saw that same error "A specified logon session does not exist. It may
already have been terminated" with v1.6 yesterday. My test was on an IIS
site that already had a cert in place. I was able to switch to the new
LetsEncrypt cert manually without any further problems.

—
Reply to this email directly or view it on GitHub
#2 (comment)
.

[amlynnworth]

@lone-coder The old cert was from cacert.org and it was in the Personal store.

[mensand]

Hi i had to change the .* in the web.config file wich is created in the validation directory to . with the *
After that the validation worked and the certificate was installed.

[Doogal666]

@lone-coder I saw this error message when I already had a certificate installed in the Personal store. On the first pass, I got the error. The new certificate had been added to the Web Hosting store. I then manually switched to the new certificate and ran the tool again and it worked flawlessly. So I suspect it doesn't like an existing certificate living somewhere other than the Web Hosting store