LetsEncrypt SSL is one of the ways to secure websites in Windows servers.
But, the renewal of SSL certificate every 90 days can become tedious. And, when you forget the renewal, it results in website failure too.
At Bobcares, we help customers to automate LetsEncrypt SSL renewal in Windows servers as part of our Support Services for web hosts.
Today, we’ll see how we renew Let’s Encrypt SSL in Windows and fix common problems that appear while SSL renewal.
How to automate LetsEncrypt SSL in Windows?
LetsEncrypt secures around 150 million websites. And, it is really popular because it comes free of cost. But, it will be effective in securing websites only with periodic renewals.
LetsEncrypt uses the ACME (Automatic Certificate Management Environment) protocol to verify the control of a given domain name. Nowadays, with automation tools, the task of renewal has become hassle-free.
One of the methods that our Support Engineers follow in Windows server is to add Scheduled task for Let’s Encrypt renewal.
For example, we’ve seen that ACME clients like LetsEncrypt Win Simple client, AcmeSharp PowerShell module, etc. work for windows. These tools provide the option to add scheduled task in Windows that automatically renew the SSL certificate expiring in next 60 days.
Common failure points in LetsEncrypt renewal
Although, there are methods to automatically renew LetsEncrypt SSL, we often see customers having problems with renewal process.
Now, we’ll see the top reasons for the failure and how our Support Engineers fix them.
1. Renewing already expired SSL
At times, server owners forget to renew SSL on time. And, an attempt to renew expired SSL via command line will show a later renewal date. But, the site’s SSL will not work.
Recently, a customer reported this problem in Windows 10, with IIS 10 as webserver. Here, to fix the problem, our Support Engineers had to manually edit the registry (HKCU/Software/Let’s Encrypt) and set the correct dates.
2. LetsEncrypt SSL Renewal failure in Plesk
Similarly, we’ve seen problems with LetsEncrypt SSL Renewal in Plesk. Here, the backup of the domain failed with the following warning.
psacontentfile.FileAccessException: Can not open for reading file "C:/Program Files (x86)/Parallels/Plesk/var/modules\letsencrypt\etc\live\example.com\cert.pem". The filename, directory name, or volume label syntax is incorrectIn this case, to find the reason for renewal failure, our Support Engineers check the logs that can be found in %plesk_dir%\admin\logs\php_error.log file.
On Windows systems, the certificate files of the domain are located in the directory “%plesk_dir%var\modules\letsencrypt\etc\archive\example.com\”. After analyzing the logs, we found that the renewal of SSL was failing due to a bug in Let’s Encrypt version.
Here, to fix the problem, we manually renewed SSL from the Plesk Panel. Additionally, we had to update Let’s Encrypt version on the server to LetsEncrypt 2.4.0.
3. Policy forbids issuing for name
Again, LetsEncrypt SSL renewal can fail due to blacklisting of domain name or hostname. And, an attempt to fetch the certificate will result in the error :
Error: Could not issue a Let's Encrypt SSL/TLS certificate for exactblacklist.letsencrypt.org
Perhaps this domain is at risk group and is blacklisted on the Let's Encrypt side.
Invalid response from http://example.com/acme/newauthz.
Details:
Type: urn:acme:error:rejectedIdentifier
Status: 400
Detail: Error creating new authz :: Policy forbids issuing for nameThis error happens in the case of domains like *.cloudapp.net or *.amazonaws.com. Here, our Support Engineers replace the domain name with a clean one. After this, the SSL renewal will work fine.
Conclusion
LetsEncrypt SSL renewal can often go wrong in Windows servers due to reasons like buggy renewal tools, blacklisting of domains, etc. Today, we’ve seen how our Support Engineers effectively set up LetsEncrypt SSL renewal and fix common problems with it.
0 Comments