Hi,
I’m getting this weird error that seems to be related to PS:
$script:UseBasic = @{}
if (‘UseBasicParsing’ -in (Get-Command Invoke-WebRequest).Parameters.Keys) { $script:UseBasic.UseBasicParsing = $true }
. “C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\Plugins\Simply.ps1”
$PluginArgs= @{SimplyAccount=‘REMOVED’; SimplyAPIKey=(ConvertTo-SecureString ‘XXX_Removed for privacy’ -asPlainText -force)}
Add-DnsTxt -RecordName ‘_acme-challenge.XXX_Removed’ -TxtValue ‘BQBupm3ScrmW1kaF29sbH23Hw60ElsXSTki4Nzz6cmQ’ @PluginArgs
: Failed to import function C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\Private\AcmeException.ps1: At C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\Private\AcmeException.ps1:1 char:1
class AcmeException : System.Exception
The ‘class’ keyword is not supported in this version of the language.
This is from test-run:
Powershell/PoshACME DNS :: Error: The request was aborted: Could not create SSL/TLS secure channel. at Get-SimplyTXTRecord, C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\Plugins\Simply.ps1: line 208
at Add-DnsTxt, C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\Plugins\Simply.ps1: line 25
at , : line 33
I’m trying to get cert from dbs-01 challenge via API key from simply.com
Thanks, has this every worked for you before on this machine? I assume you are using the latest version of Certify The Web. Is there a chance that you don’t have the required version of PowerShell installed? We require PowerShell 5.0 or higher for PowerShell related functions.
I note that the Simply API has also changed and the Posh-ACME project have had to quickly update their Simply plugin (which we offer through Certify): Release v4.13.0 · rmbolger/Posh-ACME · GitHub - however I can’t see how that would be related to this problem, we will also need to update that to keep the Simply plugin working though.
PS version according to “Get-Host | Select-Object Version” is: 5.1.14409.1005
OS version: Server 2012R2
I checked the security protocol ([Net.ServicePointManager]::SecurityProtocol) to see which versions of TLS are supported on the server, and it states: Tls, Tls11, Tls12, Tls13
I checked the simply API, and it says to use this path: https://api.simply.com/2/
Checking the scripts involved from within Certifytheweb (simply.ps1) it points to: https://api.simply.com/1/ - notice the /1/ in the script vs. the /2/ in Simply API documentation - not sure if this matters though.
Recent versions of the app will set TLS1.2 in the powershell wrapper, if you look in C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\ there is a file called Posh-ACME-Wrapper.ps1 and it should have a line like this:
# default to TLS 1.2
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12
If it doesn’t then the file is not up to date and I’d recommend reinstalling the app - to do so just download the installer from https://certifytheweb.com and run it again, if prompted to retry during file copies etc you cannot skip, just retry until it works.
Have you every used IISCrypto to edit/limit the supported TLS versions your server supports? Nartac Software - IIS Crypto I usually recommend applying the “Best Practices” settings (then restarting), which ensures your server supports a broad range of current TLS and Cipher settings.
On the subject of updating to use the new API, we’ll eventually do a new release but in the meantime you should be able to download Posh-ACME/Simply.ps1 at main · rmbolger/Posh-ACME · GitHub and copy it to C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\Plugins overwriting the existing Simply.ps1 file. I don’t have a simply account to test this on myself unfortunately.
So I guess that’s OK, and should be working as expected?
I copied the simply.ps1 from GIT to path on server, but error still:
Powershell/PoshACME DNS :: Error: The request was aborted: Could not create SSL/TLS secure channel. at Get-SimplyTXTRecord, C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\Plugins\Simply.ps1: line 225
at Add-DnsTxt, C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\Plugins\Simply.ps1: line 29
at , : line 33
Looking at the eventlog of the server, it throws these errors when i do a test run within certifytheweb:
The greyed out checkboxes mean the OS is just using it’s default setting for those and it’s hard to tell if the server is actually configured to use them. Personally I would apply the Best Practise setting and restart but it’s up to you. You could run qualsys against your own server to see if there is an overlap between that Simply support and your server, it’s possible there just isn’t a match.
I can see that Simply only support a very limited combination of Cipher suites, which could be the issue. Are you able to browse to https://api.simply.com/2/ using either chrome, edge or IE on your server? That would tell us whether connection is possible.
I would hit the “Best Practises” config option (on Schannel tab and Cipher Suites tab) in IIS Crypto and restart the server. It might be worth first checking if there was some intentional restriction of TLS+Cipher Suites in the past, but if not then I’d just use the best practises options - they are a little more permissive (i.e. multiple TLS levels etc) but for me they work very well for compatibility.
I hit the best practice button yesterday, and restarted server.
Issue persists… But with slightly different error:
Powershell/PoshACME DNS :: Waiting for powershell to complete…5s
Error: The request was aborted: Could not create SSL/TLS secure channel. at Get-SimplyTXTRecord, C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\Plugins\Simply.ps1: line 208
at Add-DnsTxt, C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\Plugins\Simply.ps1: line 25
at , : line 33
I’m pretty sure microsoft related a windows update years ago to enable TLS 1.2 by default but it may not be applied everywhere. I see also there are other settings you can check in the registry but try the IE thing first:
No problem, sorry I can’t provide more guidance in this particular instance - this doesn’t seem to be an issue that has come up frequently (TLS features being enabled but apparently still incompatible). I’m wondering if this is specific to Server 2012 TLS 1.2 support somehow.
It’s still possible that TLS1.2 is basically fine but it’s the Cipher suite that’s not agreeing, and it could even be specific to the server type/config Simply are using (cipher order etc). I don’t know of any tool that can automate this diagnosis however.
So checking the registry reveals some keys set, some not - I have now followed all entries and added those missing according to the link you provided. Still no dice.
Looked closely at the Ciphers, and it turns out that best practice does NOT set those 2 ciphers that simply supports. I have now set those, but cannot restart server right now. So will await timeslot for reboot, and let you know!
Cool, it would be interesting to know if that helps, I think it will. Looking at the rest of that Microsoft documentation Windows 10 (and Server 2016 onwards) also have the other two cipher suites which Server 2012 doesn’t have at all: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Setting the correct ciphers:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
in IIS Crypto, and restarting the server did the trick - certify client now communicates with Simply API, and the process finishes successfully!
Thanks again for your valued and insightful help, I could not have finished this without your help!
I hope we come across IRL, you have just earned yourself a couple of beers!
Thank, have a nice weekend!
