DISCUSS: Installation issues and experiences #10
Comments
|
Don't follow "Setup-Boulder-CA-on-Amazon-Linux", I think it's just copied from the Linux ACME client. Follow Example-Usage, it's complex and lack how to install but I figured how install it checking the build log:
If I got something wrong I'm posting it so some developer can help us. |
|
Thanks! But no way am I putting Visual Studio on my servers. At the bottom of that build log there's this: Where can I maybe download those zip files? |
|
So here's as far as I can get with those. Looks like the DLL won't load for some reason. Probably a missing dependency dll. :( I made sure to run under x86 and administrator. I was able to run ACMEPowerShell-IIS/ACMEPowerShell-IIS.psd1 after setting an execution policy but it didn't seem to do anything. |
|
What works with me: |
|
I just checked the assembly in .net Reflector and it's built for .net I'm guessing that the V3 version of powershell that ships with 2012 is PS C:\Vault\ACMEPowerShell> $PSVersionTable Name Value PSVersion 3.0 Can the client maybe use an older framework so that it can be more easily On Fri, Oct 30, 2015 at 1:29 PM, Gustavo Rodrigues <notifications@github.com
|
|
.net version wasn't the problem. Looks like I just needed to unblock it and all the other dlls. Unblocked the .ps1 as well just for good measure.
|
|
So now I'm running into "Initialize-ACMEVault : Vault root path is not empty" Any ideas? |
|
C:\Vault folder has to be empty. Gotta place the ACMEPowerShell folder somewhere else. |
|
If the host isn't whitelisted we get "Unexpected error" on new identifier. Perhaps there could be a better error message there. Since the host I'm playing on isn't whitelisted and all this "Defining Providers" crap looks complex I guess I'm done with messing with this project for now. Hope the feedback helps someone else. |
|
@lone-coder, there are two different API endpoints for testing certs and production certs -- is the letsencrypt-win client able to talk to the testing cert API endpoint for non-whitelisted hosts? |
|
@schoen Probably, but I'm not interested in test certs. |
|
I'm nearly there with configuring a domain via the manualHttpProvider but when I get to All the other commands have worked so far. |
|
Had the same issue, it's just a spelling mistake. Use "Submit-ACMEChallenges" instead - that works. |
|
Ah, I'd tried that but had also passed a bad argument so didn't notice it was working! I note that the attribute on the SubmitChallenge Class is [Cmdlet(VerbsLifecycle.Submit, "Challenges")] which is probably relevant. |
|
So close.. getting a status of 'invalid' when running a check with Suspect they can't fetch the json verification from the website in question but that's only a guess and it works for me - presumably they're not trying https :) |
|
So close ... yes. ^^ When you're running a |
|
Still getting an error message "Validation payload has improper value for field type" when doing Anyone who got that last step running? |
|
Im interested in this as well..anyone have LE working with a terminal servers Web Services? IIS 7? |
|
@drietz, I think the I plan on removing the older DNS and simpleHttp types altogether very soon after I complete some more testing for the newer http-01 type. |
|
Got there eventually using http-01: https://soundshed.com/ My issue with simpleHttp was that it (the letsencrypt remote server) was attempting to fetch using HTTPS but I have no existing ssl installed for that domain. I had trouble getting the certificate associated with IIS. Install-ACMECertificateToIIS gave the error: Unable to find type [Amazon.Runtime.AWSCredentials] and I tried importing the AWS module but it wouldn't work, could be specific to me though as I was just copying my own build over. I then tried manually calling Get-ACMECertificate -Ref cert1 -ExportPkcs12 temp.pfx -Overwrite but I get the complaint: Get-ACMECertificate : Cannot export PKCS12; Issuer certificate hasn't been resolved. So presume I'm missing a step there. I then attempted to generate the pfx using openssl (I'm on Server 2012 R2) and should admit that at this point I had no idea what I was doing: I then imported the pfx via IIS > Server Certificates > Import and then added the SSL bindings (selecting the new cert) for the domain under Edit Bindings. The whole process from first attempt to cert install (with troubleshooting/googling) took about 4 hours split over a few days. Hopefully we can iron this out to a few minutes :) I'd suggest we do a quick start guide for each provider as most people will use one an stick to it (I'm guessing manual http will be popular). Think we can convince letsencrypt to drop the requirement for the ".well-known" folder, it's not windows friendly (hint: name the folder .well-known. then windows will rename it to .well-known) |
|
Using WebServerProvider Manual, I got as far as Complete-ACMEChallenge and get: Also when it creates the .json file it writes it into the C:\Users\username directory instead of the current directory. I think that's a bug, since the commands look for the .json in the current directory (Vault). |
|
To get past Complete-ACMEChallenge edit the json file created by New-ACMEProviderConfig -WebServerProvider Manual set the File Path property to a filename, not a folder (in this case C:\Temp\test.json, relative to C:\Vault): Then when Complete-ACEChallenge finishes it will put a code in that file and tell you what url path it expects to find it in when you copy it into your website files (something like http://yourwebsite/.well-known/acme-client/blahblahblah where blahbblahblah is your file with a new name, without the json extension) |
|
Would not have guessed that. The default in the generated file is ".\path\to\web-content" which to me is clearly a directory. Unfortunately I have another error. I think I pasted in the Submit-ACMEChallenges command before the files finished uploading (it's 2am), so it failed, and at this point Complete-ACMEChallenge doesn't generate a file (no error though) and Submit-ACMEChallenges shows "Unexpected error." I'm guessing I would have to start all over to have another challenge to complete. Some other tips for this thread for someone to update the docs... "After you've completed all the Challenges you need to satisfy" - the output clearly shows four next to "Challenges": "{LetsEncrypt.ACME.AuthorizeChallenge, LetsEncrypt.ACME.AuthorizeChallenge, LetsEncrypt.ACME.AuthorizeChallenge, LetsEncrypt.ACME.AuthorizeChallenge}". It's unclear if you have to do something four times, or just once, because the Example Usage continually refers to Challenges plural. |
|
If you use http-01 it does validate your request by making an HTTP request to your site for the file. For the (deprecated in this client) simpleHttp provider it does default to HTTPS, somewhat ironically. The acme spec says a tls true/false flag can be set but I'm not sure where this would be done in this client. |
|
Yeah, the reason simpleHttp defaults to TLS (now) is because they actually changed the way that simpleHttp works in the spec, and I didn't update it in the client. I'm reluctant to put any more time into it because all of the simpleHttp method was replaced by a newer http-01 and since that's been implemented, I would rather focus on that one. In fact, I'll be removing all the legacy challenge types very soon since they apparently don't work any more anyway. |
|
So I've created a simple .net client for us over at https://github.com/ebekker/letsencrypt-win/issues/12 Here's a link to a build if anyone would like to give it a shot: |
|
@amlynnworth, I thin the issue you're hitting is #12, a patch will be made available soon. |
|
Folks, I wanted to make a couple announcements and this ticket is pby the closest thing I have to get the word out. First off, I'm planning on changing the name of the project -- I initially just created a project that was simply a spin-off the official LE client tacked on with the "-win" suffix to show that it's Windows-oriented, but the the reality is, Let's Encrypt is a trademarked name and only specific implementations of server and clients of the ACME protocol. I'm leaning toward the name "ACMESharp", but if anyone has any better ideas let me know. I'm focusing more on the ".NET-ness" of it, rather than the Windows aspect because in truth, the client library should actually work on any platform that supports .NET (Mono, .NET Core) and isn't restricted to Windows, and if PS ever gets portable across platforms, the same can be said of the PS module, so this would be a more accurate name. Likewise, the namespace of all the code is currently rooted at the name Now the project rename will impact everyone as far as where to get to this project, but the namespace rename will only impact any developers that are getting into the weeds. Next, speaking of places to announce -- it seems these tickets are not the best place to have a rolling discussion, so I want to setup a message group or something for such things. I'm thinking Google Groups would be appropriate, but wanted to see if anyone had any better suggestions? |
|
Google + community pages are quite good for announcements/discussions but are not very searchable/threaded, so yes Groups might be better, or a dedicate Discourse based forum perhaps. Regarding the name, just go with what you like the most, ACMESharp (for the bits related to the client specifically) makes sense but only to people who know what it relates to. How about Certify.Net (because its all about getting certs)? Maybe that conflicts with someone else brand as well, surprised they get away with ACME! |
|
I was thinking of using "NotTodayNSA", but ACMESharp is great to. Since I hosted a discourse forum before and it sucked. Lets ask if the official On Fri, Nov 13, 2015 at 5:13 AM, Christopher Cook notifications@github.com
|
|
They haven't said anything yet, but I did get an unofficial comment/suggestion from one of their contributors/members that led me down this path. I've also seen similar posts in other forums and channels related to other brand-related topics that swayed my decision. |
|
Anybody have any experience with Gitter, good or bad? |
|
I will use it regardless of what you name the project. ACMESharp is fine. I do not expect to see PowerShell on non-Windows platforms but that doesn't really matter as long as someone leads the Windows users of LetsEncrypt to the project. |
|
My simple client now handles automatic renewals, so I'm calling this release 1.0. Please check it out at https://github.com/Lone-Coder/letsencrypt-win-simple @ebekker I've not used Gitter. I'm cool with the name change. Can you link to my simple client in your projects readme, so that people that it's a good match for can find it. |
|
@ebekker I downloaded new files, retested the AWS steps and got further. The challenge response file was successfully uploaded to the /.well-known/acme-challenge/ directory. Unfortunately it did not end up with a public ACL, so when the LetsEncrypt side tried to check it, they got a 403. I then marked the file public but cannot figure out how to retry the submission. I just get "Submit-ACMEChallenge : Unexpected error". Note that I have a custom bucket policy which grants, among other things, s3:PubObjectAcl permissions to the IAM user that I configured for handling the AWS cert. |
|
@lone-coder, I added a blurb about your client. |
|
@amlynnworth, unfortunately once you submit a challenge for verification, the ACME server will try to verify it and if it fails, that challenge will be invalid and cannot be resubmitted. But fortunately, you can simply submit a new authorization without any cost or penalty. |
|
@ebekker Can I tag the file public between Complete-ACMEChallenge and Submit-ACMEChallenge? I am not sure exactly when the LetsEncrypt side tries to read the file. |
|
@ebekker regarding Gitter, it's good as a chat room but bad for threaded stuff where you might want to go back and see an archive. You tend to miss quite a lot of conversations while your not signed into it. A forum is probably the best long term solution, a Google + community is an acceptable low-administration way of having general discussions, Google Groups is very much the same as a mailing list. |
|
What about basecamp, hipchat or slack. I think they provide more value than g+. |
|
@webprofusion-chrisc, yes I agree, I inquired about the possibility of threads or topics support within rooms, and it looks like they're working on something like that -- originally slated for end of the summer, not sure what their schedule looks like now. So what I like about Gitter is that it is GitHub-oriented and integrated, but I do think without topics support, it's not workable as a solution to replace these discussions. @lennybacon, let me take a look at those. I've only use basecampl on some commercial projects in the past, let me see if it's viable for an oos project, and I'll check out the others too. |
|
So the problem with basecamp is that it's inherently a closed system, where someone needs to add others to it. I'm looking for an oss-friendly way that anyone can access the topics, even search and read anonymously, and participate if they want to. Again, wtih Gitter this is nice because it integrates with GitHub's for a user's identity and it's completely open for anyone to participate. |
|
Slack is similar, it's a bit more open because you can give a list of domains that anyone with an email address from can join, but that's not practical for this type of project. Now, it does appear you can "fool" it into letting anyone in with a temporary email domain, and then letting folks changing their email address after sign up, but that's not really how the service was intended and pby a violation of their T&Cs. UPDATE: looks like someone has invented a bolt-on that turns Slack into this type of thing, but it requires somewhere to host it. |
|
Looks like Discourse is exactly what I'm looking for, but it's only free if I self-host. A few other oss projects have adopted it in the same way for the same reasons. |
|
Just as a heads up, my front-end UI for letsencrypt-win is coming along but is not yet ready for testing (it currently explodes more often than it works). I'm toying with calling it Certify: http://webprofusion.com/apps/certify |
|
I can host a forum on a windows server no problem, I just wouldn't be able to give you server remote access unfortunately. |
|
Looking good, you're using WPF with calls out to PS cmdlets? Are you creating a PS session in code or just doing process CLI calls? |
|
@ebekker it's a Windows Forms app (haven't done one of those in a while!). It creates a PS session in code and invokes the commands. Planning to have a log window which shows the PS command log, which will help folk who want to start with GUI and automate later. |
|
Is there an appropriate place for me to leave comments about LE support under Windows in general, as opposed to this discussion of implementing the prototype to be delivered in Dec. 2015? I'm afraid I've already irritated LoneCoder by posting on his issues list (I apologize). |
|
I'm cool Dave, I was just teasing you a bit. :) I think ideally we'd have a windows category on the letsencrypt community I've posted a request here: Maybe go second it? On Fri, Nov 20, 2015 at 5:09 PM, David Spector notifications@github.com
|
|
Done, thanks. |
ebekker
changed the title
|
Hello all, a major version release, v0.8.0.0, is now available that includes a lot of changes and improvements. See the release announcement for more details. Also please note, discussions should now be posted to the community forums. I'm going to close this ticket now, any related discussions should be moved over to the forums. |
So I just got into the LetsEncrypt beta and came here to try to use this client on my server 2012 machine and am totally lost.
There needs to be an installer. This guide ain't gonna fly for production: https://github.com/ebekker/letsencrypt-win/wiki/Setup-Boulder-CA-on-Amazon-Linux WTF does letsencrypt-win have to do with linux, where there's no powershell?
I want a BIG BOLD command that I can copy and paste and have everything just work, like they have on https://chocolatey.org/ home page. Anything more and you're botching half the point of letsencrypt.
Is there a chocolatey package for this? Is that the plan?
https://github.com/ebekker/letsencrypt-win/wiki/Example-Usage is way too complex as well. It doesn't even say how to install.
How do I even get started right now?
The text was updated successfully, but these errors were encountered: