SAN for multiple names about win-acme HOT 74 CLOSED

Can it do that for different domains?

For instance, would it work for domain.com and example.com, if they are
both whitelisted?

On Sat, Nov 14, 2015 at 2:58 PM, Mat [email protected] wrote:

The client should request a certificate for all names that are associated
with a site. For example I have the a site with the following bindings:
[ip] 443
domain 443
www.domain 443

Now the letsencrypt client should request one certificate for the names:
domain and www.domain
This is what the "official" letsencrypt client is currently doing:
certbot/certbot#369
certbot/certbot#369

—
Reply to this email directly or view it on GitHub
#3.

from win-acme.

Also does each host name need a separate authorization too be passed?

On Sat, Nov 14, 2015 at 3:31 PM, Bryan Livingston <[email protected]

wrote:

Can it do that for different domains?

For instance, would it work for domain.com and example.com, if they are
both whitelisted?

On Sat, Nov 14, 2015 at 2:58 PM, Mat [email protected] wrote:

The client should request a certificate for all names that are associated
with a site. For example I have the a site with the following bindings:
[ip] 443
domain 443
www.domain 443

Now the letsencrypt client should request one certificate for the names:
domain and www.domain
This is what the "official" letsencrypt client is currently doing:
certbot/certbot#369
certbot/certbot#369

—
Reply to this email directly or view it on GitHub
#3.

from win-acme.

Yes it is possible. See:
https://community.letsencrypt.org/t/multi-domain-san-certificate-and-webroot-auth/2493

But not implemented yet in the ACME windows client:
https://github.com/ebekker/letsencrypt-win/issues/13

from win-acme.

Mat, does SAN help alleviate the same problem that SNI addresses? Can it be
used to host lots of domains on the same IP address?
https://en.wikipedia.org/wiki/Server_Name_Indication

On Sat, Nov 14, 2015 at 7:03 PM, Mat [email protected] wrote:

See my comments in ebekker/letsencrypt-win#13
https://github.com/ebekker/letsencrypt-win/issues/13 on how to add the
SAN to the certificate request.

—
Reply to this email directly or view it on GitHub
#3 (comment)
.

from win-acme.

With my changes here (I apologize for the CRLF mess) a certificate with multiple SAN is successfully obtained: https://github.com/matbech/letsencrypt-win-simple/commit/375109970df5d10f724d6f7c7ab5f48b58ba9d27

from win-acme.

well SAN is especially helpful if you are deling with non-SNI hosts (like webdav for windows or anything winxp)
also it is possible with the LE client to obtain a SAN at the very least in manual mode, I just have to enter all domains (I usually do it with -t and then paste all the domains in the prompt) and then I essentially get a webroot challenge for each and every domain requested as in
put the following at example.com/url
text123
press enter when your are finished
[pressing enter]
put the following to ssl.example.com/url2
text567
ress enter if you are finished

AND SO ON...

from win-acme.

big +1 for this. Would help with the SNI issue raised as well (at least with a single website).

from win-acme.

I should be able to get SAN working once ebekker/ACMESharp#13 is complete.

from win-acme.

@lone-coder: any progress on this issue? Did you have a look at @matbech changes (commented on 15th November)? He also contributed to ebekker/ACMESharp#13 with something that might be of help for you too. It would be really helpful to have this feature available.

Having to use https://github.com/ebekker/ACMESharp as alternative because the lack of a Subject Alternative Name (SAN) feature is quite a pain; it is much more complex.

Thanks.

from win-acme.

yeah, i got multiple subdomains and it makes a cert for each. should be an option to just throw them all in one cert. i ran into the rate limit this way too. Not sure if the rate limit affects SAN regardless though...

from win-acme.

technically as described in the closed beta email and also in the forum SANS do not count, just the number of certs that are actually made.

from win-acme.

@jagbarcelo How are you using ACMESharp to obtain a SAN certificate? This project sits on top of ACMESharp and needs ACMESharp to complete #13 on ACMESharp you mentioned before it can be done in this project.

Looking at the Wiki for ACMESharp I don't see any examples for SAN usage.

from win-acme.

@japerlman Sorry, I didn't mean that I could use ACMESharp to get a SAN certificate (even though after a second read at my post, it might seem so).

Since ACMESharp is used by this project it is absolutely clear that once #13 is solved, implementing SAN in this project would be straigtforward. That, however does not mean that it cannot be done directly here beforehand (maybe as a temporary patch), as @matbech suggests in https://github.com/matbech/letsencrypt-win-simple/commit/375109970df5d10f724d6f7c7ab5f48b58ba9d27

I simply wondered if someone had given it a try instead of waiting the resolution of the issue in the other project.

Sorry for the misunderstanding.

from win-acme.

SAN support has been added to the ACMESharp project: ebekker/ACMESharp@f34a49e

from win-acme.

Since it uses the ACMESharp NuGet package, we have to wait until a new version is pushed out there before it can be added in.

from win-acme.

I've just submitted PR #65 which upgrades to the latest ACMESharp library and related dependencies. With this change, it should now be possible to implement this feature relatively easily.

from win-acme.

@ebekker You are my favourite person on the world right now.

@lone-coder you come in 2nd, but the 1st place is up for grabs if you support it. ;)

Will try it with. ACMESharp asap.

from win-acme.

PR #65 has been added in.

from win-acme.

+1 for SAN support
Would love to see this feature added to 'letsencrypt-win-simple'
Instead of showing the complete list of sitebindings this would mean the list of site names (id) is shown, right?

from win-acme.

Yep, it would have to.
I can start working on SAN support soon, but I want to get the last issue tagged for V 1.8 done first and get that released, since SAN support is going to require a lot of changes, and possibly a new plugin.

from win-acme.

Just FYI, please don't hard-code the additional SAN names (like www or whatever). I need SAN certificates for Exchange and Jabber, they would have many custom SAN DNS records.

from win-acme.

For IIS sites, it will just bring back a list of sites, and it will request a SAN certificate for all unique hosts across all of the bindings on that site.

For manual sites, it will only use the hosts you enter in.

from win-acme.

I just added PR #77 and it should now support SAN.

Just use --san, both the manual and IIS plugins are supported.

Let me know if you encounter any issues, there were a lot of changes so i'd be surprised if someone doesn't find an issue.

from win-acme.

I get a error when calling --renew, eg:

02/02/2016 09:26:16 +01:00 [Error] Error ArgumentNullException { Message: "Value cannot be null.

Parameter name: collection", ParamName: "collection", Data: [], InnerException: null, TargetSite: Void InsertRange(Int32, System.Collections.Generic.IEnumerable1[T]), StackTrace: " at System.Collections.Generic.List1.InsertRange(Int32 index, IEnumerable`1 collection)

at System.Collections.Generic.List1.AddRange(IEnumerable1 collection)

at LetsEncrypt.ACME.Simple.Program.Authorize(Target target) in C:\projects\letsencrypt-win-simple\letsencrypt-win-simple\Program.cs:line 794

at LetsEncrypt.ACME.Simple.Program.Auto(Target binding) in C:\projects\letsencrypt-win-simple\letsencrypt-win-simple\Program.cs:line 340

at LetsEncrypt.ACME.Simple.Program.CheckRenewals() in C:\projects\letsencrypt-win-simple\letsencrypt-win-simple\Program.cs:line 723

at LetsEncrypt.ACME.Simple.Program.Main(String[] args) in C:\projects\letsencrypt-win-simple\letsencrypt-win-simple\Program.cs:line 154", HelpLink: null, Source: "mscorlib", HResult: -2147467261 }

Van: Robert Kerber [mailto:[email protected]]
Verzonden: dinsdag 2 februari 2016 04:40
Aan: Lone-Coder/letsencrypt-win-simple [email protected]
CC: RvdHout [email protected]
Onderwerp: Re: [letsencrypt-win-simple] SAN for multiple names (#3)

I just added PR #77 #77 and it should now support SAN.

Just use --san, both the manual and IIS plugins are supported.

Let me know if you encounter any issues, there were a lot of changes so i'd be surprised if someone doesn't find an issue.

—
Reply to this email directly or #3 (comment) view it on GitHub.

from win-acme.

@RvdHout can you try it again, I made some changes that should fix it.

from win-acme.

Thx, seems OK now

from win-acme.

Silly question, but how do we use it? I've updated and I get a list of IIS bindings, if I select one it seems to go off and just get that one - do I have to do A for all hosts for this to work?

from win-acme.

letsencrypt.exe --san shows IIS site id's (can have multiple bindings)

letsencrypt.exe shows all unique bindings

BTW, this feature is not yet in 1.8, get 1.8.5.2 artifact here to test this

from win-acme.

Hey,

I'm building from the latest master. I ran the --san flag and pointed it at one of my sites, it went ahead and looped through all the bindings - however when it finished it didn't seem to add a cert to IIS or even dump one in C:\Users\user\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org am I doing something wrong?

Thanks,
Brett

from win-acme.

When you are building it from the latest master you should be good.
Mmmm strange, no errors where displayed during the creation of the certificates?

How much bindings does that site have, do go beyond the limits?

from win-acme.

I did have a couple of errors from bindings which couldn't be browsed because they are IIS Rewrites, which is fine, but no other errors. I do have a lot of bindings on this website as I use it as a reverse proxy, so it would go over the limit if I was requesting them individually, but I thought that was why we use SAN, so we can have loads of subdomains on one cert?

from win-acme.

If it helps, I just ran it with the --test parameter and got exactly the same result, so I don't think it's due to limits. It gets to the last binding and just exits:

Submitting answer
Refreshing authorization
Authorization Result: valid
Deleting answer
Press enter to continue.

Without seemingly generating a cert

from win-acme.

I think you are mistaking there... all the bindings must respond to the ACME challenge, otherwise the domain can not be validated, once an errors occurs, the program stops and will not create the IIS bindings nor create certificates

in my test i just created a single certificate for example:
domain.com
www.domain.com

from win-acme.

Ah okay, thanks. I made sure that they'd all return a result and it started the generate the cert (in test mode) although I got this error:

Requesting Certificate
Unexpected error
ACME Server Returned:
{"type":"urn:acme:error:serverInternal","detail":"Error creating new cert","stat
us":500}
Press enter to continue.

from win-acme.

Something I've just thought though, I have bindings for that website for different domains. Is it failing because it's trying to group xx.blah.com, hhh.hello.com into one SAN?

from win-acme.

Shouldn't matter I guess...but remember the limits currently in place by Let's Encrypt!

The limit on Certificates/Domain is 5 certificates for a registered domain in a sliding window of 7 days. We know it's restrictive at present; thank you for your patience in helping us ensure Let's Encrypt is ready for the whole world.

from win-acme.

But I'm generating one SAN certificate with many hosts as part of it, so the limits shouldn't apply. Also this happened on test which has very very very high limits

from win-acme.

Why do you assume a SAN certificate ignores the limits?

from win-acme.

Well what I mean is that, a SAN certificate is only one certificate but with loads of subdomains attached to it - I know that therefore the domain limit doesn't apply to a SAN.

Names/Certificate is the limit on how many domain names you can include in a single certificate. This is currently limited to 100 names, or websites, per certificate issued.
I don't have 100 names on the certificate

Certificates/Domain you could run into through repeated re-issuance. This limit measures certificates issued for a given combination of Public Suffix + Domain (a "registered domain"). This is limited to 5 certificates per domain per week.
This doesn't apply to a SAN with multiple domains on it

https://community.letsencrypt.org/t/public-beta-rate-limits/4772/8?u=brett
"so a SAN multi-domain cert having domain1.com, www.domain1.com, domain2.com, www.domain2.com is counted as 1 certificate ? but you can only renew this SAN multi-domain cert 5 times per 7 days ?
Exactly."

Plus, this is happening on the test server which has a very high limit that I shouldn't be hitting, and when I've hit the limits previously the error returned explicitly said that, not an generic internal error

from win-acme.

I think your assumption about SAN certificates VS limits is way off, but i leave it to the experts to answer. Why should they have limits in place on the first place if this could be bypassed by SAN certificate?

from win-acme.

It's more about how many certificates they issue, they don't care if they issue 1 certificate with many many hosts, but they do care if you try to get a cert for each of those hosts. I've raised a topic on their forums here: https://community.letsencrypt.org/t/error-creating-new-cert/10187 - which hopefully will help us get to the bottom of it.

The main reason I don't think it's limits is because it happens on the test server too, and limits are set very high there

from win-acme.

I've also seen material stating they LetsEncrypt will support SAN certs with up to 100 domains. How would that even be possible with a limit of 5 in 7 days. Can you add domains to a SAN cert after its been created? I thought the answer was no, SAN certs had to be generated with validation for all of the domains up front (otherwise what's the point of validation?), but I might be mistaken.

from win-acme.

Already supports as far as I'm aware.

from win-acme.

I ran the exe with --test but no SAN and got it to generate test certificates for all the sites on that website binding and it worked fine, so I'm 99% sure it's not a limit thing, or an issue with the bindings.

from win-acme.

For extra confirmation, I have generated a SAN cert with 12 URL's (in the same domain eg. domain.com, www.domain.com, admin.domain.com) in the same certificate without issue over a three week period. I can't confirm if I added more than 5 per week but I scaled it from 2 to 7 and then 12 so suspect that it is probably within that timeline. I have not tried generating a SAN cert with lots of different domains in the same cert.

from win-acme.

The limit is 5 certificates per domain in 7 days. A SAN cert counts as a single certificate.

I have done about 100 in an hour with the test URI. So if test has any limits, they are really large.

I coded the 100 domain limit into the app, so nobody can hit that limit since it will display an error and not let you see that site.

A SAN cert does require you to have authorized every domain under the site before it can generate the certificate.

@brettyj can you change the min logging level in the letsencrypt.exe.config to Debug and try the SAN cert again? That will log all of the details into the Event Viewer. It will log the exact answer that comes back from the ACME server so that should help us understand what it is doing.

from win-acme.

A SAN will work with different domains as well, as long as they all pass the authorization check.

from win-acme.

Hey @rkerber

02/04/2016 15:28:17 +00:00 [Error] Error AcmeWebException { WebException: WebException { Status: ProtocolError, Response: HttpWebResponse { IsMutuallyAuthenticated: "The property accessor threw an exception: ObjectDisposedException", Cookies: "The property accessor threw an exception: ObjectDisposedException", Headers: "The property accessor threw an exception: ObjectDisposedException", SupportsHeaders: True, ContentLength: "The property accessor threw an exception: ObjectDisposedException", ContentEncoding: "The property accessor threw an exception: ObjectDisposedException", ContentType: "The property accessor threw an exception: ObjectDisposedException", CharacterSet: "The property accessor threw an exception: ObjectDisposedException", Server: "The property accessor threw an exception: ObjectDisposedException", LastModified: "The property accessor threw an exception: ObjectDisposedException", StatusCode: "The property accessor threw an exception: ObjectDisposedException", StatusDescription: "The property accessor threw an exception: ObjectDisposedException", ProtocolVersion: "The property accessor threw an exception: ObjectDisposedException", ResponseUri: "The property accessor threw an exception: ObjectDisposedException", Method: "The property accessor threw an exception: ObjectDisposedException", IsFromCache: False }, Message: "The remote server returned an error: (500) Internal Server Error.", Data: [], InnerException: null, TargetSite: System.Net.WebResponse GetResponse(), StackTrace: " at System.Net.HttpWebRequest.GetResponse() at ACMESharp.AcmeClient.RequestHttpPost(Uri uri, Object message)", HelpLink: null, Source: "System", HResult: -2146233079 }, Response: AcmeHttpResponse { StatusCode: InternalServerError, Headers: ["Replay-Nonce", "Pragma", "Connection", "Content-Length", "Cache-Control", "Content-Type", "Date", "Expires", "Server"], Links: [], RawContent: System.Byte[], ContentAsString: "{\"type\":\"urn:acme:error:serverInternal\",\"detail\":\"Error creating new cert\",\"status\":500}", IsError: True, Error: WebException { Status: ProtocolError, Response: HttpWebResponse { IsMutuallyAuthenticated: "The property accessor threw an exception: ObjectDisposedException", Cookies: "The property accessor threw an exception: ObjectDisposedException", Headers: "The property accessor threw an exception: ObjectDisposedException", SupportsHeaders: True, ContentLength: "The property accessor threw an exception: ObjectDisposedException", ContentEncoding: "The property accessor threw an exception: ObjectDisposedException", ContentType: "The property accessor threw an exception: ObjectDisposedException", CharacterSet: "The property accessor threw an exception: ObjectDisposedException", Server: "The property accessor threw an exception: ObjectDisposedException", LastModified: "The property accessor threw an exception: ObjectDisposedException", StatusCode: "The property accessor threw an exception: ObjectDisposedException", StatusDescription: "The property accessor threw an exception: ObjectDisposedException", ProtocolVersion: "The property accessor threw an exception: ObjectDisposedException", ResponseUri: "The property accessor threw an exception: ObjectDisposedException", Method: "The property accessor threw an exception: ObjectDisposedException", IsFromCache: False }, Data: [], Message: "The remote server returned an error: (500) Internal Server Error.", InnerException: null, TargetSite: System.Net.WebResponse GetResponse(), StackTrace: " at System.Net.HttpWebRequest.GetResponse() at ACMESharp.AcmeClient.RequestHttpPost(Uri uri, Object message)", HelpLink: null, Source: "System", HResult: -2146233079 }, ProblemDetail: ProblemDetailResponse { Type: "urn:acme:error:serverInternal", Title: null, Status: 500, Detail: "Error creating new cert", Instance: null, OrignalContent: "{\"type\":\"urn:acme:error:serverInternal\",\"detail\":\"Error creating new cert\",\"status\":500}" } }, Data: [DictionaryEntry { Key: "ProblemDetail", Value: "{\"type\":\"urn:acme:error:serverInternal\",\"detail\":\"Error creating new cert\",\"status\":500}" }], Message: "Unexpected error", InnerException: WebException { Status: ProtocolError, Response: HttpWebResponse { IsMutuallyAuthenticated: "The property accessor threw an exception: ObjectDisposedException", Cookies: "The property accessor threw an exception: ObjectDisposedException", Headers: "The property accessor threw an exception: ObjectDisposedException", SupportsHeaders: True, ContentLength: "The property accessor threw an exception: ObjectDisposedException", ContentEncoding: "The property accessor threw an exception: ObjectDisposedException", ContentType: "The property accessor threw an exception: ObjectDisposedException", CharacterSet: "The property accessor threw an exception: ObjectDisposedException", Server: "The property accessor threw an exception: ObjectDisposedException", LastModified: "The property accessor threw an exception: ObjectDisposedException", StatusCode: "The property accessor threw an exception: ObjectDisposedException", StatusDescription: "The property accessor threw an exception: ObjectDisposedException", ProtocolVersion: "The property accessor threw an exception: ObjectDisposedException", ResponseUri: "The property accessor threw an exception: ObjectDisposedException", Method: "The property accessor threw an exception: ObjectDisposedException", IsFromCache: False }, Data: [], Message: "The remote server returned an error: (500) Internal Server Error.", InnerException: null, TargetSite: System.Net.WebResponse GetResponse(), StackTrace: " at System.Net.HttpWebRequest.GetResponse() at ACMESharp.AcmeClient.RequestHttpPost(Uri uri, Object message)", HelpLink: null, Source: "System", HResult: -2146233079 }, TargetSite: ACMESharp.CertificateRequest RequestCertificate(System.String), StackTrace: " at ACMESharp.AcmeClient.RequestCertificate(String csrContent) at LetsEncrypt.ACME.Simple.Program.GetCertificate(Target binding) in C:\Development\letsencrypt-win-simple\letsencrypt-win-simple\Program.cs:line 498 at LetsEncrypt.ACME.Simple.Program.Auto(Target binding) in C:\Development\letsencrypt-win-simple\letsencrypt-win-simple\Program.cs:line 343 at LetsEncrypt.ACME.Simple.Program.Main(String[] args) in C:\Development\letsencrypt-win-simple\letsencrypt-win-simple\Program.cs:line 283", HelpLink: null, Source: "ACMESharp", HResult: -2146233088 }

I'm assuming it's a due to an ObjectDisposedException :p

from win-acme.

I found ebekker/ACMESharp#24 which looks like a simular issue.

@ebekker do you have any ideas, or do you think the Let's Encrypt server error might eventually go away?

from win-acme.

If it's an intermittent server issue though why would it fail every single time I try SAN but work when I do normal certs?

from win-acme.

Bummer. I'm having the same issue. I got a san cert successfully in test mode, and I was just about to get a production certificate, and now I just get error 500 from Letsencrypt.

from win-acme.

Maybe they are having issues creating SAN certs in prod right now.

However I just did one with 7 hosts all under the same root domain about half an hour ago and it worked.

I can try setting up a couple additional root domains and try to test with them as well.

from win-acme.

I haven't pull the production cert yet, just started getting 500 errors still on the --test.

from win-acme.

Both test and prod worked for me half an hour ago.

Are you trying to get a SAN cert for multiple domains?
ex. domain1.com, domain2.com, etc.

from win-acme.

If it helps, I'm trying to get blah.blah.com, blah2.blah.com, blah3.blah.com, hello.hello.com, hello2.hello.com, hello3.hello.com, world.world.com, world2.world.com

from win-acme.

Let me setup a couple of extra domains and i'll give it a try to see if it still works for me or not.

from win-acme.

I am requesting a cert for
email.domain1.com
email.domain2.com
email.domain3.com

It worked 30 minutes ago, but now error 500.

from win-acme.

If it worked before and now isn't, that's leading me to think it's a server error on the Let's Encrypt side.

from win-acme.

I've just tried it on a one binding site, so ultra simple and it still failed on test, so maybe the server is having issues then?

from win-acme.

I just got certs created with and without --test and with and without --san. I got certs for all 4 of those tests. All of them are on the same domain, i'm still getting DNS setup to be able to test additional domains as well.

from win-acme.

Still getting 500 here.

from win-acme.

I just tried turning off --san, and it worked. Turn --san on, and 500.

from win-acme.

I don't know what happened.
I can still request certs from my dev server, I can't request anything from my production server without getting a 500 now. I don't know of anything that changed. I even rebooted it. Nothing has helped.

from win-acme.

What OS & IIS version is anyone getting the 500 error using?

I was able to do a --san cert for dev.domain1.com, dev.domain2.com and dev.domain3.com with both --test and not using test.

from win-acme.

All my machines, both the dev and prod, are 2012 R2. Identical configurations running iis 8.5.
The prod machine was working perfectly getting test certs, until just suddenly started throwing 500's this morning.

from win-acme.

I'm using Windows Server 2012 R2 x64 IIS 8.5

from win-acme.

I tried creating a new, empty site on the failed machine, and tried to get a cert for it. Get 500 on it as well. Created an identical site on another machine, I can get a cert for that one. Something happened / got corrupted on my production machine? I tried deleting the httpsacme-staging.api.letsencrypt.org folder and trying again, but no change.

from win-acme.

That's the exact same OS and IIS version as my primary test server.

Did you try deleting the registry keys?

from win-acme.

I have not deleted keys yet, what tree should I delete?

from win-acme.

I added another line of logging to the app and did a pre-release of it so we can make sure we are all on the same code base.

https://github.com/Lone-Coder/letsencrypt-win-simple/releases/tag/v1.8.6-Pre

If you can change the min log level to Debug and try it again, maybe we can see some more info.

from win-acme.

The registry keys are at HKCU\Software\letsencrypt-win-simple\URI where URL is the base URI of the ACME server.

from win-acme.

Dit an test on windows 2012 R2 standard server (VPS at strato)
used --test --san option

Authorizing identifiers of all bindings went fine, even dubble hostnames, i have ipv6 and ipv4 bindings per hostname, so every one hostname gets authorized twice. Is this OK?

At the end i got the following error:

Requesting Certificate
Unexpected error
ACME Server Returned:
{"type":"urn:acme:error:serverInternal","detail":"Error creating new cert","stat
us":500}
Press enter to continue.

Kind Regards,

Dennis

Addendum: Deleted key and directory in C:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple
Had to register again, but at the end same error as mentioned above.

from win-acme.

It doesn't hurt anything, and there are no limits on authorizing, but it probably shouldn't authorize it twice.
@DennisHeerema can you create a separate issue for it so I remember to fix it? Also, this one is starting to get long.

from win-acme.

This issue is getting rather long and isn't really a single issue anymore so i'm going to close it.
If anyone still is getting 500 errors, can you open up a new issue so we can track it there.

from win-acme.