I get that, we use the domain name for the certificate name (sub.domain.com.crt), we created a script per SSL for each domain that has the correct name hard coded as the file name.
Ive bumped in to the rate limit thing already with testing, we have the cert so it appears to work ok… I assume when i request a new one, the old one with its chain doesnt die (as we have one live and tested it too often)?
What I meant about users and the GUI is that if you open a cmd window as your local user and type openssl it might know what you’re talking about if your PATH variable contains it. But the service runs as SYSTEM, so it likely would have a differentPATH variable that doesn’t know where OpenSSL is. This is one possibility of why it would work in testing but not via the service. Similarly, if you had a mapped network drive configured, the SYSTEM user has no visibility of it, so anything depending on that mapped network drive would fail also.
Requesting a new certificate doesn’t invalidate old ones. They remain valid for their normal lifetime.
For most operations the GUI talks to the background service (Certify.Service), which is running as Local System by default. There is a small subset of diagnostic stuff that runs directly from the GUI including (currently) the powershell test button, but really the test function is a bit limited as it’s not the same as running from the service.
Long term we need to decide if the test facility is the right way to do that - really you probably want to run the last real result through the latest script and ‘Test’ should probably be ‘Run’ instead.
We configured 2 new domains with scripts and they have all worked as expected, so i would guess it will be ok as a service. However i assume (and hope) this script wont be needed in the new version as its just taking the certs and placing them in the Apache SSL folder with the correct name.
We do not test the scripts as we know they will work as expected.