DNS-01 challenge update error

I’m getting this weird error that seems to be related to PS:
$script:UseBasic = @{}
if (‘UseBasicParsing’ -in (Get-Command Invoke-WebRequest).Parameters.Keys) { $script:UseBasic.UseBasicParsing = $true }
. “C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\Plugins\Simply.ps1”
$PluginArgs= @{SimplyAccount=‘REMOVED’; SimplyAPIKey=(ConvertTo-SecureString ‘XXX_Removed for privacy’ -asPlainText -force)}
Add-DnsTxt -RecordName ‘_acme-challenge.XXX_Removed’ -TxtValue ‘BQBupm3ScrmW1kaF29sbH23Hw60ElsXSTki4Nzz6cmQ’ @PluginArgs
: Failed to import function C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\Private\AcmeException.ps1: At C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\Private\AcmeException.ps1:1 char:1

  • class AcmeException : System.Exception

The ‘class’ keyword is not supported in this version of the language.

This is from test-run:
Powershell/PoshACME DNS :: Error: The request was aborted: Could not create SSL/TLS secure channel. at Get-SimplyTXTRecord, C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\Plugins\Simply.ps1: line 208
at Add-DnsTxt, C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\Plugins\Simply.ps1: line 25
at , : line 33

I’m trying to get cert from dbs-01 challenge via API key from simply.com

Any idea?

Thanks, has this every worked for you before on this machine? I assume you are using the latest version of Certify The Web. Is there a chance that you don’t have the required version of PowerShell installed? We require PowerShell 5.0 or higher for PowerShell related functions.

I note that the Simply API has also changed and the Posh-ACME project have had to quickly update their Simply plugin (which we offer through Certify): Release v4.13.0 · rmbolger/Posh-ACME · GitHub - however I can’t see how that would be related to this problem, we will also need to update that to keep the Simply plugin working though.

Thanks for swift reply!

No, this is the first time on this server.

PS version according to “Get-Host | Select-Object Version” is: 5.1.14409.1005
OS version: Server 2012R2

I checked the security protocol ([Net.ServicePointManager]::SecurityProtocol) to see which versions of TLS are supported on the server, and it states: Tls, Tls11, Tls12, Tls13

I checked the simply API, and it says to use this path: https://api.simply.com/2/
Checking the scripts involved from within Certifytheweb (simply.ps1) it points to: https://api.simply.com/1/ - notice the /1/ in the script vs. the /2/ in Simply API documentation - not sure if this matters though.

Version of installed certifytheweb is:

I did notice however, that Simply API endpoint only supports TLS1.2 according to ssllabs: SSL Server Test: api.simply.com (Powered by Qualys SSL Labs)
Not sure if this has anything to do with anything.

I did try to setup the same on my W11, and it does NOT yield any errors about secure SSL/TLS…!

Let me know if there’s anything else I can do to help you guys!


Recent versions of the app will set TLS1.2 in the powershell wrapper, if you look in C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\ there is a file called Posh-ACME-Wrapper.ps1 and it should have a line like this:

# default to TLS 1.2
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12

If it doesn’t then the file is not up to date and I’d recommend reinstalling the app - to do so just download the installer from https://certifytheweb.com and run it again, if prompted to retry during file copies etc you cannot skip, just retry until it works.

Have you every used IISCrypto to edit/limit the supported TLS versions your server supports? Nartac Software - IIS Crypto I usually recommend applying the “Best Practices” settings (then restarting), which ensures your server supports a broad range of current TLS and Cipher settings.

On the subject of updating to use the new API, we’ll eventually do a new release but in the meantime you should be able to download Posh-ACME/Simply.ps1 at main · rmbolger/Posh-ACME · GitHub and copy it to C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\Plugins overwriting the existing Simply.ps1 file. I don’t have a simply account to test this on myself unfortunately.

The posh-ACME-Wrapper.ps1 does contain:

default to TLS 1.2

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12

No, I have not used the Nartac IIS crypto, running it, shows this:

So I guess that’s OK, and should be working as expected?

I copied the simply.ps1 from GIT to path on server, but error still:

Powershell/PoshACME DNS :: Error: The request was aborted: Could not create SSL/TLS secure channel. at Get-SimplyTXTRecord, C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\Plugins\Simply.ps1: line 225
at Add-DnsTxt, C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\Plugins\Simply.ps1: line 29
at , : line 33

Looking at the eventlog of the server, it throws these errors when i do a test run within certifytheweb:

The greyed out checkboxes mean the OS is just using it’s default setting for those and it’s hard to tell if the server is actually configured to use them. Personally I would apply the Best Practise setting and restart but it’s up to you. You could run qualsys against your own server to see if there is an overlap between that Simply support and your server, it’s possible there just isn’t a match.

I can see that Simply only support a very limited combination of Cipher suites, which could be the issue. Are you able to browse to https://api.simply.com/2/ using either chrome, edge or IE on your server? That would tell us whether connection is possible.

This… Might just be the problem?


What can I do?

I would hit the “Best Practises” config option (on Schannel tab and Cipher Suites tab) in IIS Crypto and restart the server. It might be worth first checking if there was some intentional restriction of TLS+Cipher Suites in the past, but if not then I’d just use the best practises options - they are a little more permissive (i.e. multiple TLS levels etc) but for me they work very well for compatibility.

I’m intrigued that Chrome and IE are showing different results though, I though Chrome used the same TCP/IP stack that IE did but maybe not.

I hit the best practice button yesterday, and restarted server.
Issue persists… But with slightly different error:

Powershell/PoshACME DNS :: Waiting for powershell to complete…5s
Error: The request was aborted: Could not create SSL/TLS secure channel. at Get-SimplyTXTRecord, C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\Plugins\Simply.ps1: line 208
at Add-DnsTxt, C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\Plugins\Simply.ps1: line 25
at , : line 33

I’m stumbled by now…?

Does IE work now? If your server can speak to their API then you should get an HTTP 404 page in IE (instead of the TLS error).

I note in your IE error message that it directed you to advanced to adjust settings, is Use TLS 1.2 enabled?

Here is how it looks on one of our servers:

I actually have no idea if this setting can affect powershell.

I’m pretty sure microsoft related a windows update years ago to enable TLS 1.2 by default but it may not be applied everywhere. I see also there are other settings you can check in the registry but try the IE thing first:

IE settings seem similar to yours:
IE still displays TLS error.

I’ll check for the keys ASAP!

Thanks for all your support until now Chris, really appreciate it!

No problem, sorry I can’t provide more guidance in this particular instance - this doesn’t seem to be an issue that has come up frequently (TLS features being enabled but apparently still incompatible). I’m wondering if this is specific to Server 2012 TLS 1.2 support somehow.

It’s still possible that TLS1.2 is basically fine but it’s the Cipher suite that’s not agreeing, and it could even be specific to the server type/config Simply are using (cipher order etc). I don’t know of any tool that can automate this diagnosis however.

See also this list of supported cipher suites in Server 2012:

These two are the only compatible ones simply accepts:

Check the “cipher suites” tab of IIS Crypto and if these are not checked then enable them, it’s possible IIS crypto is not optimised for server 2012.

So checking the registry reveals some keys set, some not - I have now followed all entries and added those missing according to the link you provided. Still no dice.

Looked closely at the Ciphers, and it turns out that best practice does NOT set those 2 ciphers that simply supports. I have now set those, but cannot restart server right now. So will await timeslot for reboot, and let you know!

1 Like

Cool, it would be interesting to know if that helps, I think it will. Looking at the rest of that Microsoft documentation Windows 10 (and Server 2016 onwards) also have the other two cipher suites which Server 2012 doesn’t have at all:

Chris, just to wrap this up :slight_smile:

Setting the correct ciphers:

in IIS Crypto, and restarting the server did the trick - certify client now communicates with Simply API, and the process finishes successfully!

Thanks again for your valued and insightful help, I could not have finished this without your help!
I hope we come across IRL, you have just earned yourself a couple of beers! :wink:
Thank, have a nice weekend!

1 Like