Hi,
I’m Chris, I develop the ‘Certify’ app for Windows. I started it as a hobby at the end of 2015 and it has grown since then into a full-scale software product.
Up until now, we’ve released the Certify SSL Manager app (and the overall Certify The Web services like the dashboard etc) with the only feedback from users being support requests and github issues. We’re experimenting with having our new community discussion forum to help engage and help users.
Did the app work for you? What kind of setup do you use it for? Is there anything it currently doesn’t do that you’d like it to?
I think it’s very good that you have a forum for questions&answers. Regarding the software, I don’t really have any feedback, I find it easy to use and very good. It just works as needed.
I personally don’t need the feature that I could manage the server from local workstation. Maybe someone with more servers will see use of that. I prefer less remote access to server features.
I ran Certify v3 for some time and it always performed flawlessly. This is all in use in a home lab/setup environment, by the way.
When I got wind of the v4 alpha testing with DNS support for wildcard certificates I jumped at the chance to get on board.
The first thing I had to do was move my DNS to one of the supported providers as the one I’ve used for years, although very reliable has no API system that I’m aware of and certainly not ever likely to be supported anyway.
I picked Azure simply because I have Office 365 accounts etc and it kind of just made sense as things like extra email domains DNS can be configured automatically in future.
I have to say that although configuring the DNS settings for a domain are trivial - anyone who’s ever done it in any kind of web console will find their way around it (although I stumbled at first because I failed to notice the fqdn was pre-populated so I ended up with resouce.domain.com.domain.com but that was user error.
Getting it configured properly for Certify though was a nightmare and I feel that Microsoft have made it overly complicated to the extreme.
I did, ultimately get it working and have shared the steps with Chris to hopefully help anyone else to get there more easily and it’s working an absolute treat.
I can’t thank Chris enough for his effort and his willingness to respond and help - he pointed me at some valuable resources that although slightly wrong in places, did ensure I could piece the missing parts together.
My experience is therefore a bit mixed - from Chris it’s brilliant but from Microsoft it was just not good.
Anyone needing automation for their wildcard certs in IIS really have no need to look anywhere else in my humble opinion.
Cloudflare is amongst the simplest (and has a free plan).
AWS was also fairly simple, albeit with the added complication of configuring an IAM user/role
DnsMadeEasy seems a bit old fashioned/basic compared to the others. They probably spent a lot of money on it all several years ago. Provides a sandbox account to play with.
Being an occasional user of certificates (i.e. deploying only when occasionally needed in my job, for instance Outlook Web Access), I had to remind myself every couple of years how to do it, and breath a sigh of relief when it worked. Then I had 2 years to forget the process again.
I love that CTW auto-renews and takes the hassle out.
Are there plans for alerts via email? I’m really bad at checking stuff so an email alert when there’s a problem would be great. For instance, if an in-use website certificate is within 14 days of expiring.
Currently by default you will get an email from the app (based in the contact set in Settings) if auto renewal fails, so that should do what you require.
You can also do fancy stuff like post-request scripts or web-hooks to receive success/fail info in custom ways.
If you ignore those (or don’t receive them) Let’s Encrypt will also send you an email when your certificate is approaching expiry of it hasn’t already renewed.
Great - thanks Chris. I checked through the settings in the program and couldn’t see specific settings, so presumably that’s just default (i.e. non-configurable) behaviour. My email is the default contact so hopefully that’ll work well if ever needed. Perhaps I’ll change my feature request to expand on the alert functions i.e. what emails to send an when. Just by looking, I can’t tell that an alert will be sent (unless I’m being blind).
I’m running v4.08, upgraded from v4.05 today.
In a shameless attempt to get an answer to a different question, I posted earlier today about my server receiving new certs as configured, but not updating the default website with the latest cert. So I have 3 certs available (3 / 17 / 31 days old) but IIS is using the oldest still. It’s easy to tell IIS to use the latest, but I thought Certify would do this as part of the auto renew? Any thoughts off the top of your head?
I actually set up my personal server with a view to seeing it work well, with a view to migrating my consulting clients to it once I see it’s pretty bullet-proof. I already have a couple of SBS2011 clients running it and will roll it out further to bigger (and therefore licence-buying) once I have full confidence it’s sturdy enough for a corporate environment where I’ll get the blame if it were to cause problems.
Thanks Garth, I’ve added a response to your other question.
Regarding sending emails, you should find the option on [your Managed Certificate] > Show Advanced Options > Other Options > Notify Primary Contact on Renewal Failure.
Mostly good experiences. Haven’t found a better Let’s Encrypt client for Windows.
First I used it to give an HTTPS certificate to an Azure VM, which seemed to be what it was designed towards… automatic IIS configuration, etc.
My second usage was a bit off the beaten path, but I still think it’s the best setup I know about. I have a personal mail server running locally (hMailServer) and wanted to use a cert from Let’s Encrypt instead of self-signed. I had a WAMP setup already on port 80, so I just made a virtual host with the same domain name as my mail server and the Certify client pushed the acme-challenge files when needed. Used a PowerShell script and OpenSSL to extract the private key/cert from the PFX generated by Certify and restart the mail service.
The only problem I seemed to have was getting the post-request PS script working. Not being able to use the staging environment made me worry a bit when I was having trouble with the script. Part of the trouble was getting OpenSSL to give me exactly what I wanted and the other part was a weird issue with the script variables. $result.MangagedItem.CertificatePath seemed to give me an empty string(or not a string?), so I couldn’t pass it to OpenSSL. I’ve requested the certificate successfully 3 times now, but the variable is always empty despite other variables working. I used a workaround for getting the filename, so I’m not terribly bothered about it.
An issue was recently raised regarding a typo in our docs (ManagedItem being mispelled) and it looks like you might have copied that as well, can you see if ti works with $result.ManagedItem.CertificatePath? An option to re-run the post request script without re-requesting the certificate is on the to-do list.
Yes, that seems to return the same string as my work-around method of selecting the newest PFX file in the folder. Even the TEST button works correctly.
Presumably I should be able to reduce the number of hardcoded paths in the script, now.
