Hello community! I’m new to Certify The Web and was hoping somebody could help me understand: Can I use Certify The Web to create a SSL Certificate for Remote Web Access and VPN on my home server (Windows Server 2016)? All I’m trying to do is get around having to purchase a SSL Certificate every year simply to access my server/network remotely. I’m not hosting a website, so I think all I need is a DV for Windows Server (IIS). Does anybody have a tutorial on exactly how to do this maybe?
The app is free for the first 5 managed certificates, so that usually covers most people. Sorry I don’t have any experience with Server Essentials. You should start by requesting a certificate for IIS then see how you can script it to apply to other services/products.
Okay, thanks Christopher!
Since WSE2016 uses SSL for Remote Web Access, I’m pretty sure it will work as hoped.
I use WSE2012 and the RWA website runs happily under a LE certificate. I don’t use SSL VPN so can’t answer that one, but would be interested to hear your results if you try it.
I’ve set up our server using the very useful guide above but I still have to run anywhere access repair to get the vpn working again after a renewal. If I run the script (unaltered from the example script fro RDPGatewayServices) as a test from within Certify the Web it breaks the vpn so i think there is an issue in it for Essentials maybe?
Ps I am an enthusiastic amateur!
I’m not an expert in that I’m afraid but the default script probably doesn’t restart the service, so maybe you need to adjust that to restart the necessary services?
On a related topic I’m working on a new feature called ‘deployment tasks’ for the next major version, this will allow configuration of common deployment tasks such as this, in particular it will allow you to disconnect certificate renewal from the actual deployment (which you can defer for a maintenance window instead) : https://github.com/webprofusion/certify/issues/440
It sounds like you have the same issue as my WSE2016, using SSTP VPN.
When you update the certificate, the new certificate is bound correctly in IIS, but the SSTP VPN is still storing the old certificate hash. The symptom is that the SSTP VPN client connects, but immediately disconnects, and the client logs RRAS event ID 6 in its event log.
The solution is:
netsh http show sslcert
Note the changed hash for 0.0.0.0:443. This will need to be changed for the SSTP VPN listener (SHA1).
If no RRAS GUI (per WS2016E):
- Go to HKLM\System\CurrentControlSet\Services\SstpSvc\Parameters
- Alter the “SHA1CertificateHash” key from your new certificate (old hash should match Event 6 RASMAN error). You’ll need to type it by hand, paste doesn’t work.
- Restart RRAS service
- Test the new configuration
Thanks for this. Would this need to be done after every cert renewal?
@Shaunreynolds yes the cert hash will change after every renewal so you need to re-deploy it to anything that uses it.
Is there any update on this? I too have problems with Windows Server Essentials 2012/2016 and SSTP VPN stopping working after the certificate renews.
Due to the short certificate life, ie 90 days, it’s not ideal to have to manually intervene (and the best manual solution seems to be a server restart) as frequently as this compared to purchasing a certificate which could last for multiple years.
I do appreciate all the hard work that’s gone in to making the app - it’s a great thing, but this little niggle is a pain
I’ll be honest I have no relevant experience with administration of SSTP VPN so I have to defer to the community to figure out the finer points of scripting certificate updates for that. Really supporting specific services like this is outside the scope of the app itself and more in the realms of scripting (which is usually custom). The assumption from that point on is that the users themselves know how to administer/update certificates for their chosen software components, which is not always going the be the case.
From my reading of the above thread the service may need a registry update with the new certificate hash then the service needs restarted, so that’s what you’d script. For direction here is a sample script from another user which may be helpful: https://github.com/webprofusion/certify/issues/447
Over time I do intend to add specific deployment tasks (with UI) to target common services and work has started on this but SSTP VPN is included yet.
I have the same issue as my Windows Server 2019 Datacenter, using SSTP VPN.
“Routing and Remote Access” service stoped.
And “RasSstp” lacks of ceryification for SSTP.
I’ll try the solution you gave here.
Confirmed that the script in the link does indeed work.
I copied the text and saved it on the affected machine as a ps1 file.
I then linked to it in the Post-request PS Script box and clicked “TEST”.
Confirmed that the registry entries in HKLM\System\CurrentControlSet\Services\SstpSvc\Parameters relating to hash values changed.
SSTP connections immediately before the script failed.
Attempts immediately after the script work correctly.
The only issue was a dialog box “Waiting for RRAS service to stop”. Presumably the machine was slow when stopping the service. It didn’t stop the script from running. When the script is called as part of the usual renewal process, I’m guessing the dialog will be suppressed in any. I’ll know for sure in 10 days.
Thanks to j0mbie on Github for the code.
Yah, it works. Thanks to j0mbie & Garth2079.
Thank you very much! I am waiting for the next major version from you.
Thanks, next major version is likely a beta release in August, full release Sept/Oct.
Were you finally able to resolve issues with CTW and cert renewals on WSE2016? I was successfully able to use CTW to deploy my first cert, but renewals are not applying to Anywhere Access.
The IIS cert is updating with renewals correctly, it’s just Anywhere Access that is not showing the renewed cert applied. I setup a post deployment task for Remote Gateway and Remote Access services and both have service restarts enabled. The tasks both show deployment success but the cert is still not applying. Any tips? The link referenced above in thread is being blocked by my system as malware.
Regarding the built in Deployment Tasks for remote access and remote gateway, there is some debate and variation in the scripts that are required to pull off a clean restart etc, here are the current scripts used internally:
You do have the option of just running your own script as many people do, however if you do, do not store scripts under
C:\Program Files\CertifyTheWeb\.... - we used to keep example scripts there but the intention was never for people to modify those in-place and I’ve seen a few articles suggesting to do just that (then the next update would overwrite them), so if you do use a custom script then store it outside like in
C:\Scripts or wherever.
There is a recent discussion about access anywhere scripting but it was getting complicated: https://github.com/webprofusion/certify/issues/519
Note also that certify has a built in task for Stop/Start/Restart service - if in doubt you can use that to restart additional services.