IIS v7 - Renewed Certificate not automatically applied to Default Website?

Hi all,

I’m hoping for some guidance on what I’m doing wrong, or confirmation of a problem in CertifyTheWeb.

I am running a WSE2012 box, with a default website operating on it. Under the default website there are some WSE-specific sites but I don’t think that’s relevant in this case.

I installed CTW about a month ago, successfully validated the site via DNS TXT, and CTW is happily chugging along. I can see in the IIS bindings that the certificate is in use.

When I log in to the console today, I see “Default Web Site” and “Expires in 87 days”. All good there. But when I access my default website, I see that the certificate expires 28 days sooner.

So I look at the bindings in IIS for the default website, and see there are now three LetsEncrypt certificates. One is dated 01/08/18 (the original one). One is 15/08/18, on is 29/08/18. So CTW has been auto-renewing them every 14 days as configured.

BUT… the IIS binding shows that the first certificate is still bound to the default website. The two newer ones are available but not selected.

My understanding was that CTW would auto-renew and auto-bind the renewed certificates.

Is my understanding wrong? Have I done something wrong? Or is this a bug?

When the first certificate expires, will IIS auto-select a valid one from the pool of certificates installed in the certificate store on the server? Or will I see a certificate error on the website?

Many thanks,

More detail I missed -

In the “Preview” tab, it is set to “Default Web Site” in the box at the top, but I see:

Deploying to all matching sites:
There are no matching targets to deploy to. Certificate will be stored but currently no bindings will be updated.

at the bottom.

Is the “Default Web Site” wrong?
This is WSE2012 and the site is “Default Web Site” in IIS7.

…and I may have answered my own question.
In “Deployment” I have switched off “Auto” and see more options to play with.

I’ll go with “update existing bindings only” and see what happens…

Hi Garth,
I’m guessing you created the https binding for the default website yourself and I’m also guessing you may have been on v3.0.11 when you started (maybe not). The key thing to check is the Deployment Mode. If it’s set to single site then only one IIS website will be being updated, if it’s set to Auto or All sites then the app will looks for all websites it thinks match the certificate. You can see what it thinks it’s going to update in the Preview tab, and if it doesn’t say there that it’s going to update that specific binding then it’s definitely not going to. Auto deployment will not match bindings which have no hostname specified.

If your default website has no specific domain bindings (say it’s just bound to the IP) then you may have to adjust the deployment matching settings to get that included (see Deployment > All Sites > Existing binding uses old version… or Binding hostname not specified). Again, if the Preview tab shows it’s going to update the binding then you’re all set. You may need to manually update the bound certificate to the latest one in order to get features like ‘… old version…’ to work.

Hey Chris,

Yep, you’re spot on. I got it working on my own server (binding it myself in IIS when it didn’t auto-bind), then found that SBS2011 needs the settings you mention to work, presumably because of the lack of SNI support (which you already flag within Certify). I ended up ticking all 3 of the boxes under “All Sites” / “Update existing https bindings only”, then clicking “Re-apply” under “Other Options” to see it working.

All in all, a very nice bit of coding on your part.

If I were to make any suggestion, it would be to warn that “Auto” won’t work under certain circumstances. I started on v4.05 and left it on Auto but didn’t spot that it wouldn’t auto-bind on renewal. Since you already detect when SNI isn’t supported, maybe you could also warn that auto-renewal will fail, and include a link to a KB article in your red warning under the quick start guide? This could be a balance minimal coding effort (since SBS2011 is nearly dead) and helping other users avoid the same pitfall.

Having worked for a software development company, I’d say this shows off your skills very well. Great on your CV, and hopefully it pays you some pocket money. I would have guessed it was produced by a team, not an individual.

1 Like