You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
My previous registrar decided to revoke API access, so I have spent the afternoon migrating all my domains and automation over to Cloudflare. I am pretty much completely done, but I have been running into issues getting win-acme to generate a valid cert. I had been up and running with no issues for about 3 years prior, so I'm not sure whats happening.
Steps taken: Deleted win-ace folder in P:/programdata
Upgraded to the latest version
Installed Cloudflare DNS plugins
Created a new cert (tried both ECS and RSA)
I am able to issue a PCKS cert file just fine, but when I attempt to validate it with openSSL, or use it in an app (plex), I am getting the following exceptions:
openssl: inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0)
Plex: Jun 02, 2024 19:16:52.262 [5968] ERROR - [CERT] PKCS12_parse failed: error:0308010C:digital envelope routines::unsupported
Jun 02, 2024 19:16:52.262 [5968] ERROR - [CERT] Found a user-provided certificate, but couldn't install it.
All settings are default. I have tried a simple hostname, a wildcard, and a hostname with some SANs. The only cofig changes I made were to the notification settings (which is working).
`PS P:\Apps\winacme> .\wacs.exe --verbose
[DBUG] Logging at level Verbose
[VERB] Loaded validation plugin Cloudflare from P:\Apps\winacme\PKISharp.WACS.Plugins.ValidationPlugins.Cloudflare.dll
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
[VERB] Looking for settings.json in P:\Apps\winacme
[DBUG] Use existing configuration folder C:\ProgramData\win-acme
[DBUG] Use existing configuration folder C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org
[DBUG] Use existing log folder C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Log
[DBUG] Use existing cache folder C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates
[DBUG] Found 1 secrets in secrets.json
[DBUG] Renewal period: 55 days
[VERB] Sending e-mails True
[VERB] Arguments: --verbose
[VERB] ExePath: P:\Apps\winacme\wacs.exe
[VERB] ResourcePath: P:\Apps\winacme
[VERB] PluginPath: P:\Apps\winacme\
N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (1 total)
O: More options...
Q: Quit Choose an action or type numbers to select renewals: d
Id: G4m0MaK31ku6V7etQmSjPg
File: G4m0MaK31ku6V7etQmSjPg.renewal.json
Account: Default account
Auto-FriendlyName: [Manual] *.domain.net
.pfx password:
Expires: Unknown
Renewal due: 2024/7/28
Renewed: 2 times
[VERB] Autofac: creating Target scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
[VERB] No value provided for --host
[VERB] Autofac: creating Target scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
[VERB] No value provided for --cloudflareapitoken
[VERB] Autofac: creating Target scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
[VERB] Autofac: creating Target scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
[VERB] Flag --ocsp-must-staple not present
[VERB] Flag --reuse-privatekey not present
[VERB] Autofac: creating Target scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
[VERB] Flag --keepexisting not present
[VERB] No value provided for --certificatestore
[VERB] No value provided for --acl-fullcontrol
[VERB] No value provided for --acl-read
[VERB] Autofac: creating Target scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
[VERB] No value provided for --pemfilespath
[VERB] No value provided for --pempassword
[VERB] Autofac: creating Target scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
[VERB] No value provided for --pfxfilepath
[VERB] No value provided for --pfxpassword
[VERB] Autofac: creating Target scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
Command: wacs.exe --source manual --host *.domain.net,domain.net
--validation cloudflare --cloudflareapitoken
vault://json/cf_letsencrypt --store
certificatestore,pemfiles,pfxfile --pemfilespath
P:\Apps\certs --pempassword ******* --pfxfilepath
P:\Apps\certs --pfxpassword *******
It seems like OpenSSL 3.0 doesn't like the default settings chosen by BouncyCastle for the PFX/PKCS12 archive, which is a legacy encryption algorithm. Recently I've been playing around with trying to upgrade this, but that caused failures on older versions of Windows. I guess we'll have to make it an optional setting to modernize the archive.
It looks like it was 2.1.17.1065
2024-05-19 09:33:11.941 -07:00 [INF] Software version 2.1.17.1065 (release, pluggable, standalone, 64-bit) started
I haven't tried going back to that version and trying again, but I probably should. Until there is a flag/option to use the upgraded encryption looks like I will need to do some manual work to get the cert to play nice. Thanks for the response / confirming that this looks to be an issue with win-acme issuing pfx certs for services that only support openssl 3+
Hi all,
My previous registrar decided to revoke API access, so I have spent the afternoon migrating all my domains and automation over to Cloudflare. I am pretty much completely done, but I have been running into issues getting win-acme to generate a valid cert. I had been up and running with no issues for about 3 years prior, so I'm not sure whats happening.
Steps taken: Deleted win-ace folder in P:/programdata
Upgraded to the latest version
Installed Cloudflare DNS plugins
Created a new cert (tried both ECS and RSA)
I am able to issue a PCKS cert file just fine, but when I attempt to validate it with openSSL, or use it in an app (plex), I am getting the following exceptions:
openssl: inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0)
Plex: Jun 02, 2024 19:16:52.262 [5968] ERROR - [CERT] PKCS12_parse failed: error:0308010C:digital envelope routines::unsupported
Jun 02, 2024 19:16:52.262 [5968] ERROR - [CERT] Found a user-provided certificate, but couldn't install it.
All settings are default. I have tried a simple hostname, a wildcard, and a hostname with some SANs. The only cofig changes I made were to the notification settings (which is working).
`PS P:\Apps\winacme> .\wacs.exe --verbose
[DBUG] Logging at level Verbose
[VERB] Loaded validation plugin Cloudflare from P:\Apps\winacme\PKISharp.WACS.Plugins.ValidationPlugins.Cloudflare.dll
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
[VERB] Looking for settings.json in P:\Apps\winacme
[DBUG] Use existing configuration folder C:\ProgramData\win-acme
[DBUG] Use existing configuration folder C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org
[DBUG] Use existing log folder C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Log
[DBUG] Use existing cache folder C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates
[DBUG] Found 1 secrets in secrets.json
[DBUG] Renewal period: 55 days
[VERB] Sending e-mails True
[VERB] Arguments: --verbose
[VERB] ExePath: P:\Apps\winacme\wacs.exe
[VERB] ResourcePath: P:\Apps\winacme
[VERB] PluginPath: P:\Apps\winacme\
[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.2.9.1701 (release, pluggable, standalone, 64-bit)
[INFO] Connecting to https://acme-v02.api.letsencrypt.org/...
[DBUG] [HTTP] Send GET to https://acme-v02.api.letsencrypt.org/directory
[VERB] [HTTP] Request completed with status OK
[VERB] [HTTP] Response content: {
"_amWaCqVSxU": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
[INFO] Connection OK!
[DBUG] Running with administrator credentials
[DBUG] IIS not detected
[INFO] Scheduled task looks healthy
[INFO] Please report issues at https://github.com/win-acme/win-acme
[VERB] Unicode display test: Chinese/語言 Russian/язык Arab/لغة
N: Create certificate (default settings)
Choose an action or type numbers to select renewals: d
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (1 total)
O: More options...
Q: Quit
Renewal 1/1 -----------------------------------------------------------------
Id: G4m0MaK31ku6V7etQmSjPg
File: G4m0MaK31ku6V7etQmSjPg.renewal.json
Account: Default account
Auto-FriendlyName: [Manual] *.domain.net
.pfx password:
Expires: Unknown
Renewal due: 2024/7/28
Renewed: 2 times
[VERB] Autofac: creating Target scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
[VERB] No value provided for --host
[VERB] Autofac: creating Target scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
[VERB] No value provided for --cloudflareapitoken
[VERB] Autofac: creating Target scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
[VERB] Autofac: creating Target scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
[VERB] Flag --ocsp-must-staple not present
[VERB] Flag --reuse-privatekey not present
[VERB] Autofac: creating Target scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
[VERB] Flag --keepexisting not present
[VERB] No value provided for --certificatestore
[VERB] No value provided for --acl-fullcontrol
[VERB] No value provided for --acl-read
[VERB] Autofac: creating Target scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
[VERB] No value provided for --pemfilespath
[VERB] No value provided for --pempassword
[VERB] Autofac: creating Target scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
[VERB] No value provided for --pfxfilepath
[VERB] No value provided for --pfxpassword
[VERB] Autofac: creating Target scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
Command: wacs.exe --source manual --host *.domain.net,domain.net
--validation cloudflare --cloudflareapitoken
vault://json/cf_letsencrypt --store
certificatestore,pemfiles,pfxfile --pemfilespath
P:\Apps\certs --pempassword ******* --pfxfilepath
P:\Apps\certs --pfxpassword *******
Plugins -----------------------------------------------------------------
Source: Manual
- Description: Manual input
Validation: Cloudflare
- Description: Create verification records in Cloudflare DNS
Order: Single
- Description: Single certificate
Csr: RSA
- Description: RSA key
Store: CertificateStore
- Description: Windows Certificate Store (Local Computer)
Store: PemFiles
- Description: PEM encoded files (Apache, nginx, etc.)
Store: PfxFile
- Description: PFX archive
Installation: None
- Description: No (additional) installation steps
Orders -----------------------------------------------------------------
Order 1/1: main
History -----------------------------------------------------------------
History 3/3 -----------------------------------------------------------------
History 2/3 -----------------------------------------------------------------
History 1/3 -----------------------------------------------------------------
`
Any ideas? Thanks.
The text was updated successfully, but these errors were encountered: