Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error codes for batch file usage #780

Closed
westofsa opened this issue Mar 7, 2018 · 12 comments
Closed

Error codes for batch file usage #780

westofsa opened this issue Mar 7, 2018 · 12 comments
Labels
enhancement

Comments

@westofsa
Copy link

westofsa commented Mar 7, 2018

Hi

I am obtaining and updating a certificate that is stored in a Tomcat Java Keystore. Getting and installing the certificate is not a problem, and I have created a batch file that will allow me to automatically import the PFX certificate to the Java Store using keytool.

Where I am hoping someone might be able to help is that I would like to update the Task Scheduler to instead call the Batch file, which has the Letsencrypt.exe -renew settings set (have this working), but I am trying to find a way to only import the certificate based on a successful renewal. If there is an error I want the batch file to end, rather than to import the existing certificate into the Keystore again.

Is there a way to do that ? I have looked at some of the unattended script commands, but none seem to handle error messages ?
Worth noting I am not a developer so using as many references as I can to handle the error, but when I run the script I get a WARN message but the Error level is still reported as 0 and the script continues.

If not possible I will create a new task in task scheduler to run every x number of days, but figure if there were some error codes and examples on how to use them in a batch file it could help.

Thanks
@alexhass
Copy link

alexhass commented Mar 8, 2018
edited

I have not tested yet, but a post-renew script (such a param exists) for service reload/restarts should only run if the renew was successful. Than you do not need to look for error codes...

@WouterTinus
Copy link
Member

I concur with @alexhass.

Rather than letting a script run win-acme, let win-acme run the script: https://github.com/PKISharp/win-acme/wiki/Install-Script

@WouterTinus
Copy link
Member

The program does have exit codes by the way, but they are not used for individual renewals, just for fatal errors. It's definitely worth considering erroring out to the task scheduler when one of the renewals fails, because it would be a pretty strong signal for an admin to check out what's up.

@westofsa
Copy link
Author

Thanks @alexhass and @WouterTinus. I had tried the --script option a while back when going through different options, but ran into the problem that it requires me to use script parameters. In my case I have everything defined in the bat file, where the files are, where to load them etc, so I don't need (or want) to be using "parameters" in the script simply to run a bat file. But without a parameter defined the script does not run. So it seems mandatory to use additional parameters which shouldn't be necessary. That is why I tried running the update from the bat file instead.. I will go back to try and get win-ACME to call the script instead. Thanks

@LBegnaud
Copy link
Collaborator

you can just use --scriptparameters "" but yes i agree that it probably shouldn't be mandatory

@WouterTinus
Copy link
Member

It isn't mandatory as far as I can tell?

@WouterTinus
Copy link
Member

I added the exit codes in 1.9.10. Though it's not usable for your original scenario unless you only have 1 renewal. If there are more than one you won't know which one of them failed.

@westofsa
Copy link
Author

Sorry, got dragged away, but now back at it, plus needed to wait a while to accommodate rate limits. Staging option doesn't seem to allow renewals so a little more challenging trying to keep testing.
I also just upgraded to the latest version today but don't seem to be able to get the --script to invoke.

My preference would be to simply update the automatically configured Scheduled Task with the --script parameters.. worst case I would change it to call the Bat file with everything defined.

For testing I created a bat file with the same values as the Scheduled Task and then added the --script values.

Here is what my command line looks like to run the script , but it does not seem to follow through after the renewal.
Call C:\win-acme\letsencrypt.exe --renew --baseuri "https://acme-v01.api.letsencrypt.org/" --installation manual --script c:\certimport.bat
Pause

I watch and see where it downloads the new certificate, but does not complete the script. I used with and without the "--installation manual". I don't get any error messages, and once complete I see the Pause and of course as soon as I press a key to continue the window closes.
I see the cert renew but shouldn't it be running the certimport.bat... Or is running it this way just causing a problem and I should rather set the values in the Task Scheduler and run it from there (although I may not have visibility at that point).. Should that command line not have worked though ?

@WouterTinus As far as renewals go, in my case I only have 1 renewal on this server that has 3 certs included in the single request. Technically I could get rid of two of the 3 subdomains as they all point to the same place. Just easy to remember URL's for end users.

Any Ideas ?

Thanks

@WouterTinus
Copy link
Member

WouterTinus commented Mar 27, 2018
edited

So there seems to be some confusion about the basic concepts of unattended operation. There's two things that you can do running letsencrypt.exe with command line parameters. One is set up a new certificate, the other is to renew previously created certificates.

The --script parameter, like most others, is meant for the first usage. It has no effect on the latter. Renewal uses configuration values as they were specified at the time of creation, which are remembered in registry (<1.9.10) or in a file called "Renewals" in the configuration path for new installs of >=1.9.10. This allows users to choose different scripts or validation methods etc. for different certificates.

If you want to change the way an existing certificate is set up in terms of installation or validation, you have to recreate it, or edit the stored parameters manually. The scheduled task generally never has to be changed.

@westofsa
Copy link
Author

@WouterTinus - Thanks for the Reply.
I am trying to renew a previously created certificate.. Don't get me wrong.. that all works. The issue that I am trying to overcome, is that I need to use the renewed certificate to update certificates stored in a Java Keystore (tomcat.jks file) which is used by Tomcat to store certificates.
I have a batch file that will take the LetsEncrypt Chain and Cert, create a Combined PFX file, apply a common Alias, and set a PFX password. Then it will automatically update the certifcates in the Java Store, and restart the Tomcat services so that the newly renewed and valid certificates are presented to someone connecting to the site...
So what I am hoping to do, is when Win-Acme renews the certificates, ideally I would like for the same process to be able to call my batch file so that the rest of the process can also be automatic. I was hoping that the --script option would do that, but if not then I will look at other options. If it cannot do it today maybe it can be added as an enhancement so that when an update does successfully renew a certificate it will then be able to run a script to allow me to automate everything.

If not I will look at creating an additional Task Schedule to run my batch file every x number of days (maybe 56) and add in the new certificate, or maybe I will try and use a file compare to look for a newer file date and if yes then complete the import.

The other option I had been looking at was to simply run the entire update process through the same batch file and if a success based on an error level returned, I could then have it continue the script and if not have it exit...

So there are a few options, was just looking for the lesser of the evils to get there. Adding a few parameters like --script to the string in the already created Scheduled Task would have been the easiest.

Does that make sense..

@westofsa
Copy link
Author

Actually I think I have a simple fix to my issue. Whenever certificates are renewed, new files are created in the win-acme directory. I don't need all of them, so I am simply going to look for the existence of a particular file, if it is there, will run the rest of my script and delete the file. That way I can run it daily but if the file is not there it will end the batch file.... Sometimes it is the simple solutions that are the hardest to see.
Still would be nice for a feature enhancement, but I have my solution for now.
Thanks

@WouterTinus
Copy link
Member

@westofsa - I like your creative thinking, but it's really not necessary even with the current feature set.

All you have to do is cancel your current renewal and then create a new one (for the same domains etc.) with the script included as an installation step. This can be done either from the command line or through the GUI.

Cancelling the renewal will not revoke or delete the existing certificate so this is safe to do at any time, as long as you setup a new one in time before it expires.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@alexhass @WouterTinus @LBegnaud @westofsa