Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to renew cert #776

Closed
scott-ip1 opened this issue Mar 5, 2018 · 8 comments
Closed

Unable to renew cert #776

scott-ip1 opened this issue Mar 5, 2018 · 8 comments
Assignees
@WouterTinus
Labels
confirmed bug

Comments

@scott-ip1
Copy link

scott-ip1 commented Mar 5, 2018
edited

Greetings,

I have a cert that was originally requested using letsencrypt-win-simple.v1.9.8.0-beta7 and had the scheduled task created to handle the renewal. I noticed recently it hadn't been working and when run manually I get the following error

[EROR] NullReferenceException: Object reference not set to an instance of an object.

I have tried using win-acme v1.9.9.0 instead, and I now get the following running with --verbose

[VERB] Checking renewals
[INFO] Renewing certificate for xxxxxx.net.au
[DBUG] Loading signer from C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\Signer
[DBUG] Getting AcmeServerDirectory
[DBUG] Send GET request to https://acme-v01.api.letsencrypt.org/directory
[DBUG] Loading registration from C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\Registration
[INFO] Authorize identifier: xxxxxx.net.au
[DBUG] Send POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz
[DBUG] Certificate store: WebHosting
[INFO] Authorizing xxxxxx.net.au using tls-sni-01 validation (IIS)
[INFO] Installing certificate in the certificate store
[DBUG] Opened certificate store WebHosting
[INFO] Adding certificate f5fa407exxxxxx871b8.acme.invalid to store WebHosting
[VERB] CN=f5fa407exxxxxx871b8.acme.invalid - CN=f5fa407exxxxxx871b8.acme.invalid (6B1B78CACB2A25A1BD0E3018B2B707DBF1AE1F73)
[DBUG] Closing certificate stores
[EROR] Error preparing for challenge answer
System.NullReferenceException: Object reference not set to an instance of an object.
at PKISharp.WACS.Clients.IISClient.AddOrUpdateBindings(Site site, String host, SSLFlags flags, Byte[] thumbprint, String store, Nullable1 port) at PKISharp.WACS.Plugins.ValidationPlugins.Tls.IIS.AddToIIS(CertificateInfo certificate) at PKISharp.WACS.Plugins.ValidationPlugins.Tls.IIS.InstallCertificate(ScheduledRenewal renewal, CertificateInfo certificate) at PKISharp.WACS.Plugins.ValidationPlugins.BaseTlsValidation.PrepareChallenge() at PKISharp.WACS.Plugins.ValidationPlugins.BaseValidation1.PrepareChallenge(AuthorizeChallenge challenge)
at PKISharp.WACS.Program.Authorize(ILifetimeScope renewalScope, Target target)
[INFO] Uninstalling certificate from the certificate store
[DBUG] Opened certificate store WebHosting
[INFO] Removing certificate f5fa407exxxxxx871b8.acme.invalid from store WebHosting
[DBUG] Closing certificate store
[EROR] Error authorizing [Manual] [4 bindings - xxxxxx.net.au, ...]
[DBUG] NullReferenceException: NullReferenceException {Message="Object reference not set to an instance of an object.", Data=[], InnerException=null, TargetSite=Void RemoveFromIIS(PKISharp.WACS.CertificateInfo), StackTrace=" at PKISharp.WACS.Plugins.ValidationPlugins.Tls.IIS.RemoveFromIIS(CertificateInfo certificate)\r\n at PKISharp.WACS.Plugins.ValidationPlugins.Tls.IIS.RemoveCertificate(ScheduledRenewal renewal, CertificateInfo certificate)\r\n at PKISharp.WACS.Plugins.ValidationPlugins.BaseTlsValidation.CleanUp()\r\n at PKISharp.WACS.Plugins.ValidationPlugins.BaseValidation1.Dispose(Boolean disposing)\r\n at PKISharp.WACS.Plugins.ValidationPlugins.BaseValidation1.Dispose()\r\n at Autofac.Core.Disposer.Dispose(Boolean disposing)\r\n at Autofac.Util.Disposable.Dispose()\r\n at Autofac.Core.Lifetime.LifetimeScope.Dispose(Boolean disposing)\r\n at Autofac.Util.Disposable.Dispose()\r\n at PKISharp.WACS.Program.Authorize(ILifetimeScope renewalScope, Target target)", HelpLink=null, Source="letsencrypt", HResult=-2147467261}
[EROR] NullReferenceException: Object reference not set to an instance of an object.
[EROR] Renewal for xxxxxx.net.au failed, will retry on next run

This is running on Windows Server 2016. I am also running manually in an elevated command prompt (as admin). The current cert is valid until 27 March 2018.

Any suggestions or advice?

Thanks
Scott.
@WouterTinus
Copy link
Member

Is it possible that the original site you used to create the certificate with doesn't exist anymore?

@scott-ip1
Copy link
Author

I am running the renew from the same server I used to create the cert that is still actively hosting the same site (Exchange server).
Does the error point to something in paticular being wrong that I need to look for, or is it going to be easier to just revoke this cert and issue a new one?

@WouterTinus
Copy link
Member

It seems to point to not being able to find the site it's supposed to use for validation in IIS. I'd be interested to see the contents of the registry entry for the certificate.

You can try to recreate the certificate but you'd have to go with the command line to set it up with TLS validation, as it's no longer supported for mainstream usage.

@scott-ip1
Copy link
Author

scott-ip1 commented Mar 11, 2018
edited

Can you explain that further? Is the win-acme program not able to find the site, or the Letsencrypt web service can't find the site?

As a quick test, I did a renew on some standard IIS web sites on a different server and they were able to renew correctly, so it does appear to be something specific to this Exchange IIS instance.

HKEY_LOCAL_MACHINE\SOFTWARE\letsencrypt-win-simple\https://acme-v01.api.letsencrypt.org/
The "Renewals" has the following

{"Date":"2018-02-20T10:36:32.6683186Z","Binding":{"Host":"webmail.xxxxxx.net.au","HostIsDns":true,"IIS":true,"SiteId":0,"TargetSiteId":0,"InstallationSiteId":1,"SSLPort":443,"AlternativeNames":["webmail.xxxx.net.au","autodiscover.xxxx.net.au","webmail.yyyyyy.com","autodiscover.yyyy.com"],"TargetPluginName":"Manual","ValidationPluginName":"tls-sni-01.IIS"},"KeepExisting":false,"InstallationPluginNames":["IIS"],"Warmup":false}

@WouterTinus
Copy link
Member

The program can't find the IIS website, and I think I can see why. Could you try removing "SiteId":0,"TargetSiteId":0,? Because this way it's trying to find IIS Site 0.

It's definitely a bug that the registry got into this state, I'm making some changes in the next release to prevent this from happening to others.

@WouterTinus WouterTinus self-assigned this Mar 11, 2018
@scott-ip1
Copy link
Author

scott-ip1 commented Mar 12, 2018
edited

I tried removing those strings from the reg key, but as soon as I trigger the renewal I see them get repopulated. Is there another place I need to also remove them from?

Hmm, looking at my other server that I was able to trigger a cert renew on, those registry keys don't even exist, and if I remove them from the problem server than I get no certs listed as available for renewal. Is there another config file hidden away somewhere?

@WouterTinus
Copy link
Member

Yes I should have realised that it would happen that way, because the bug that caused it is still in there.

I made a fix in 1.9.10, but if you don't want to upgrade yet, you might try another workaround, which is adding "ValidationSiteId":1, to the line.

@scott-ip1
Copy link
Author

OK, thanks. I ended up revoking and creating a new cert and manually added it to the bindings. I'll do a test with the new versoin in a few days to see how it goes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@WouterTinus WouterTinus

Labels
confirmed bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@WouterTinus @scott-ip1