Win-acme: Don't store renewals in current user registry

Created on 27 Jul 2017  路  4Comments  路  Source: win-acme/win-acme

First of all, thank you for the program. It was very helpful in the case of auto certificate renewal. However, I'd like to provide some feedback from Windows administrator perspective.

In order to auto renew certificates, the tool creates a job in Task Scheduler. By default, the job is run from the user account who ran the tool. In general, it's a bad practice because account password can change, it can be disabled or deleted leaving the job in broken state. Normally in such scenarios SYSTEM account is used to run the job. In this case, however, simply switching account in job properties will not help.
The reason being is that upon initial launch and configuration, program generates and stores some settings in %appdata%\letsencrypt-win-simple and HKCU\Software\letsencrypt-win-simple. Both those places are user specific, meaning that any other account including SYSTEM will have their own settings. It is quite easy to copy initial setting from the user to respective SYSTEM paths and everything will be working fine:
%appdata% for SYSTEM points at %windir%\system32\config\systemprofile\AppData\Roaming\
HKCU hive for SYSTEM points at HKEY_USERS.DEFAULT

Because it is not intended to run multiple copies of the program simultaneously on the same windows host, but in different profiles, and because program already requires elevated privileges, in my opinion, it would be much better to store files in the program directory itself and in the HKLM hive of the registry respectively, thus providing consistent setting across multiple accounts.

testing
Source
picture SDedik
👍3

Most helpful comment

This has been implemented for new users. Existing users will continue to work as they did before, but it's possible to migrate manually.

picture WouterTinus on 21 Aug 2017
👍2

All 4 comments

Fully agree on that, it bit me too a couple of times. The plan is to stop using the registry altogether in version 2.0, but using SYSTEM/HKLM would already be a big improvement.

WouterTinus picture WouterTinus on 27 Jul 2017

This has been implemented for new users. Existing users will continue to work as they did before, but it's possible to migrate manually.

WouterTinus picture WouterTinus on 21 Aug 2017
👍2

I am not sure if it has to with this new option, but I have removed version 1.9.3 by manually deleting the folders in appdata\roaming and the registry key in HKCU and installed 1.9.5 afterwards. When trying to create a new certificate the renewal is not being written to the registry:

C:\folder\letsencrypt>letsencrypt --verbose --san

[INFO] Let's Encrypt (Simple Windows ACME Client)
[INFO] Version 1.9.5.38878 (RELEASE)
[VERB] Verbose mode logging enabled
[INFO] Please report issues at https://github.com/Lone-Coder/letsencrypt-win-sim
ple

[INFO] Renewal period: 60
[INFO] Certificate store: WebHosting
[INFO] ACME Server: https://acme-v01.api.letsencrypt.org/
[VERB] Using registry key HKEY_LOCAL_MACHINE\Software\letsencrypt-win-simple\htt
ps://acme-v01.api.letsencrypt.org/
[DBUG] Settings {Renewals="The property accessor threw an exception: ArgumentNul
lException"}
[DBUG] Config folder: C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.le
tsencrypt.org
[DBUG] Certificate folder: C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.a
pi.letsencrypt.org
[DBUG] Loading signer from C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.a
pi.letsencrypt.org\Signer
[DBUG] Getting AcmeServerDirectory
[DBUG] Send GET request to https://acme-v01.api.letsencrypt.org/directory
[DBUG] Loading registration from C:\ProgramData\letsencrypt-win-simple\httpsacme
-v01.api.letsencrypt.org\Registration
[DBUG] Scanning IIS sites

 1: [IIS] Site1 (SiteId 1) [1 binding - subdomain.site1.nl @ C:\folder\Site1]
 2: [IIS] test (SiteId 2) [1 binding - test.test.nl @ C:\folder\Site1Debi
teurenPortal]

 W: Generate a certificate via WebDav and install it manually.
 S: Generate a single San certificate for multiple sites.
 F: Generate a certificate via FTP/ FTPS and install it manually.
 M: Generate a certificate manually.
 Q: Quit

 Choose from one of the menu options above: S

[DBUG] Running IISSiteServer Plugin

 Enter a comma separated list of site IDs, or 'S' to run for all sites: 1

[INFO] Authorizing identifier subdomain.site1.nl using http-01 challenge
[DBUG] Send POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz
[DBUG] Writing challenge answer to C:\folder\Site1\.well-known\acme-challe
nge\rGUDlYHsIsNSpUjK-Vgzz-srT8jPQ_fOCInSmw3wWzM
[DBUG] Writing web.config to C:\folder\Site1\.well-known\acme-challenge\we
b.config
[INFO] Answer should now be browsable at http://subdomain.site1.nl/.well-known
/acme-challenge/rGUDlYHsIsNSpUjK-Vgzz-srT8jPQ_fOCInSmw3wWzM
[DBUG] Submitting answer
[CUT FOR PRIVACY]
[INFO] Authorization result: valid
[DBUG] Deleting answer
[DBUG] Deleting web.config
[DBUG] Deleting C:\folder\Site1\.well-known\acme-challenge
[DBUG] Additional files or folders exist in C:\folder\Site1\.well-known, n
ot deleting.
[DBUG] RSAKeyBits: 2048
[INFO] Requesting certificate: subdomain.site1.nl
[DBUG] Send POST request to https://acme-v01.api.letsencrypt.org/acme/new-cert
[CUT FOR PRIVACY]
[DBUG] Request Status: Created
[INFO] Saving certificate to C:\ProgramData\letsencrypt-win-simple\httpsacme-v01
.api.letsencrypt.org\subdomain.site1.nl-crt.der
[INFO] Saving issuer certificate to C:\ProgramData\letsencrypt-win-simple\httpsa
cme-v01.api.letsencrypt.org\ca-0A0141420000015385736A0B85ECA708-crt.pem
[DBUG] CentralSsl False - San True
[INFO] Saving certificate to C:\ProgramData\letsencrypt-win-simple\httpsacme-v01
.api.letsencrypt.org\subdomain.site1.nl-all.pfx
[INFO] Installing non-Central SSL certificate in the certificate store
[DBUG] Opened Certificate Store My
[DBUG] Set private key exportable
[DBUG] Adding certificate 1 2017-8-30 2:44:27  to store
[DBUG] Closing certificate store
[INFO] Installing non-Central SSL certificate in server software
[INFO] Adding new https binding for subdomain.site1.nl
[INFO] Committing binding changes to IIS
[DBUG] Opened certificate store My
[INFO] Removing certificate 1 2017-8-30 2:31:05
[INFO] Closing certificate store
[INFO] Adding renewal for [IISSiteServer] 1 [1 binding - subdomain.site1.nl ]

 Do you want to replace the existing task? (y/n): - no

[DBUG] Exception ArgumentNullException {Message="Value cannot be null.\r\nParame
ter name: source", ParamName="source", Data=[], InnerException=null, TargetSite=
System.Collections.Generic.IEnumerable`1[TResult] Select[TSource,TResult](System
.Collections.Generic.IEnumerable`1[TSource], System.Func`2[TSource,TResult]), St
ackTrace="   at System.Linq.Enumerable.Select[TSource,TResult](IEnumerable`1 sou
rce, Func`2 selector)\r\n   at LetsEncrypt.ACME.Simple.Settings.get_Renewals()\r
\n   at LetsEncrypt.ACME.Simple.Program.ScheduleRenewal(Target target)\r\n   at
LetsEncrypt.ACME.Simple.IISSiteServerPlugin.ProcessTotaltarget(Target totalTarge
t, List`1 runSites)\r\n   at LetsEncrypt.ACME.Simple.IISSiteServerPlugin.HandleM
enuResponse(String response, List`1 targets)\r\n   at LetsEncrypt.ACME.Simple.Pr
ogram.HandleMenuResponseForPlugins(List`1 targets, String command)\r\n   at Lets
Encrypt.ACME.Simple.Program.Main(String[] args)", HelpLink=null, Source="System.
Core", HResult=-2147467261}
[EROR] Exception Value cannot be null.
Parameter name: source

 Would you like to start again? (y/n): - no

When I then try to renew I get the following error:

[INFO] Let's Encrypt (Simple Windows ACME Client)
[INFO] Version 1.9.5.38878 (RELEASE)
[VERB] Verbose mode logging enabled
[INFO] Please report issues at https://github.com/Lone-Coder/letsencrypt-win-sim
ple

[INFO] Renewal period: 60
[INFO] Certificate store: WebHosting
[INFO] ACME Server: https://acme-v01.api.letsencrypt.org/
[VERB] Using registry key HKEY_LOCAL_MACHINE\Software\letsencrypt-win-simple\htt
ps://acme-v01.api.letsencrypt.org/
[DBUG] Settings {Renewals="The property accessor threw an exception: ArgumentNul
lException"}
[DBUG] Config folder: C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.le
tsencrypt.org
[DBUG] Certificate folder: C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.a
pi.letsencrypt.org
[DBUG] Loading signer from C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.a
pi.letsencrypt.org\Signer
[DBUG] Getting AcmeServerDirectory
[DBUG] Send GET request to https://acme-v01.api.letsencrypt.org/directory
[DBUG] Loading registration from C:\ProgramData\letsencrypt-win-simple\httpsacme
-v01.api.letsencrypt.org\Registration
[INFO] Checking renewals
[DBUG] Exception ArgumentNullException {Message="Value cannot be null.\r\nParame
ter name: source", ParamName="source", Data=[], InnerException=null, TargetSite=
System.Collections.Generic.IEnumerable`1[TResult] Select[TSource,TResult](System
.Collections.Generic.IEnumerable`1[TSource], System.Func`2[TSource,TResult]), St
ackTrace="   at System.Linq.Enumerable.Select[TSource,TResult](IEnumerable`1 sou
rce, Func`2 selector)\r\n   at LetsEncrypt.ACME.Simple.Settings.get_Renewals()\r
\n   at LetsEncrypt.ACME.Simple.Program.CheckRenewals()\r\n   at LetsEncrypt.ACM
E.Simple.Program.Main(String[] args)", HelpLink=null, Source="System.Core", HRes
ult=-2147467261}
[EROR] Exception Value cannot be null.
Parameter name: source
nvanrooij picture nvanrooij on 30 Aug 2017

Can you explain how we can migrate manually, please?

davyme picture davyme on 30 Aug 2017
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Trapulo picture Trapulo  路  3Comments
rickster2 picture rickster2  路  3Comments
Michael-the-Great picture Michael-the-Great  路  4Comments
raymov picture raymov  路  4Comments
Stuart88 picture Stuart88  路  4Comments