Some feedback and questions

Hi folks,

Congrats on creating an awesome piece of software. It has made my life a lot less stressful.

First off, some feedback that I’d like you to consider putting in as features of Certify.

  1. From this article, Delete old certificate on successful renewal, I understand that old certs are deleted 1 month after successful renewal. Can I suggest that you give the user a choice of when to delete the old certs. They can choose to delete immediately or up to 1 month from renewal.

  2. I look forward to having NameCheap included in the dns-01 as a built in registrar. However, until then,we still need to write scripts for it. Please consider enabling .ps1 as a script instead of just having .bat? Perhaps also allow to pass more than just the 3 standard command-line arguments to the script.

  3. Again for custom dns-1 scripts, please i consider making it into “plug in” type of environment. This way, we can create our own dlls and quickly integrate them your system.

Some questions

  1. In https://certifytheweb.com/register, you had mentioned “free for a limited number of managed certificates per server”, what is this limited number?

  2. I have more questions… but I can’t remember… ;(

Cheeries,
Peter.

Hi Peter,

Thanks, I’m glad it’s working out well for you!

  1. The new beta version (link on the https://certifytheweb.com site) jsut released has a new set of certificate cleanup modes, these are currently global. The Full Cleanup option will regularly remove all [Certify] certs not currently referenced by managed certificates.
    2 & 3. The absolute best way to get a provider added is to develop the provider yourself as you suggest. Several of our API providers were contributed this way. You can see the other examples here: https://github.com/webprofusion/certify/tree/development/src/Certify.Providers/DNS - the priority though will probably be to focus on finding an alternative to using DNS APIs altogether and instead provider a managed CNAME redirection service (so you do a one-time DNS CNAME record creation and we manage that through our API via a dedicated DNS zone in AWS etc)

Regarding the limited number of managed certs, it was 5 and it’s currently 10 as an experiment. In the future I’d like to remove the limit altogether but we’ll see how it goes with 10. The vast majority of people using the app use the free version, but the vast majority are also businesses who want something reliable and maintained. It’s an interesting challenge!

Hi hi… thanks for replying.

I remembered what my other question was.

I’ve developed a namecheap script that is now running somewhat smoothly, although it is still far from production quality. Below is the log from one of my cert requests.

2018-12-13 21:07:51.525 +08:00 [INF] Certify/4.0.12.0 (Windows; Microsoft Windows NT 6.2.9200.0)
2018-12-13 21:07:51.525 +08:00 [INF] Beginning Certificate Request Process: [domain name] using ACME Provider:Certes

2018-12-13 21:08:07.064 +08:00 [INF] Performing automated challenge responses ([domain name])
2018-12-13 21:08:07.065 +08:00 [INF] DNS: Creating TXT Record ‘_acme-challenge.[domain name]’ with value ‘9z9AiHNVZO7iSMY-_clLEMU-s6ZnEKX-ooDkAJxnLLY’, in Zone Id ‘’ using API provider ‘(Use Custom Script)’
2018-12-13 21:08:09.623 +08:00 [INF] DNS: (Use Custom Script)

<create script called here for _acme-challenge.[domain name]>

2018-12-13 21:08:09.623 +08:00 [INF] Requesting Validation from Let’s Encrypt: [domain name]
2018-12-13 21:08:09.623 +08:00 [INF] Attempting Domain Validation: www.[domain name]
2018-12-13 21:08:09.623 +08:00 [INF] Registering and Validating www.[domain name]
2018-12-13 21:08:09.623 +08:00 [INF] Performing automated challenge responses (www.[domain name])
2018-12-13 21:08:09.623 +08:00 [INF] DNS: Creating TXT Record ‘_acme-challenge.www.[domain name]’ with value ‘HP2SLP2XtCg_z9Goj9ZNgqt8n05ZlK2wo0SYjusFl5Y’, in Zone Id ‘’ using API provider ‘(Use Custom Script)’
2018-12-13 21:08:11.327 +08:00 [INF] DNS: (Use Custom Script)

<create script called here for _acme-challenge.www.[domain name]>

2018-12-13 21:08:11.328 +08:00 [INF] Requesting Validation from Let’s Encrypt: www.[domain name]
2018-12-13 21:09:11.569 +08:00 [INF] Attempting Challenge Response Validation for Domain: [domain name]
2018-12-13 21:09:11.569 +08:00 [INF] Registering and Validating [domain name]
2018-12-13 21:09:11.569 +08:00 [INF] Checking automated challenge response for Domain: [domain name]
2018-12-13 21:09:14.491 +08:00 [INF] Domain validation completed: [domain name]
2018-12-13 21:09:14.491 +08:00 [INF] DNS: Deleting TXT Record ‘_acme-challenge.[domain name]’, in Zone Id ‘’ using API provider ‘(Use Custom Script)’

<its not calling my delete script>

2018-12-13 21:09:15.741 +08:00 [INF] Attempting Challenge Response Validation for Domain: www.[domain name]
2018-12-13 21:09:15.741 +08:00 [INF] Registering and Validating www.[domain name]
2018-12-13 21:09:15.741 +08:00 [INF] Checking automated challenge response for Domain: www.[domain name]
2018-12-13 21:09:19.341 +08:00 [INF] Domain validation completed: www.[domain name]
2018-12-13 21:09:19.341 +08:00 [INF] DNS: Deleting TXT Record ‘_acme-challenge.www.[domain name]’, in Zone Id ‘’ using API provider ‘(Use Custom Script)’

<its not calling my delete script>

2018-12-13 21:09:20.556 +08:00 [INF] Requesting Certificate via Let’s Encrypt
2018-12-13 21:09:27.478 +08:00 [INF] Completed Certificate Request.
2018-12-13 21:09:27.517 +08:00 [INF] Performing Automated Certificate Binding
2018-12-13 21:09:28.617 +08:00 [INF] Completed certificate request and automated bindings update (IIS)
2018-12-13 21:09:29.612 +08:00 [INF] Request completed

I’ve noticed that the delete script is not being called. Is this a bug?

Peter.

Hi Peter,
That could be a bug, however in my own tests it’s working fine as long as the path to the script files is correct. What makes you think it’s not calling the delete script? I assume the commented out log says that it is. The method used to call the create script and the delete script are the same

Hi hi,

thanks again for replying. Below is my log file as image - the entire log file is filled with urls and the forum app don’t allow me to exceed 2 links :anguished:

As you can see, my script spews out a lot of debugging info which gets recorded into your log. The log has recorded the create debug info, but NOT the delete info. That’s what makes me think that the delete script is not being called.

My bat files are located in “C:\Program Files\CertifyTheWeb\Scripts\Common”

And my configuration is as below

Thanks, that is weird. Note also that updating the app may delete all those files as part of the install so it’s not a safe place to keep them.

So… do you reckon this is a bug? or is there something wrong with my script?

btw, my script is made up of 2 parts - the 2 .bat files and an .exe file. Where would you recommend to place the 2 files so that they don’t get deleted during upgrade process?

On the powershell thing, I just wrote a small bat file to forward to a powershell script. You can set echo to meet your needs, but this allows easy use of powershell instead of more limited command line without much fuss.

echo off
set zone=%1
set value=%3
powershell -command "d:\certifyscript\dnsupdate.ps1 -zone \"%zone%\" -value \"%value%\""

likewise you could use node or python etc, so there are lots of options. Note that when your script runs it will launch as the local SYSTEM account, not your user account.

And if you need it to run as something other than Local System, you’ll need to alter the service user of the Certify service.

Hi,

I’m aware that there are many options for creating the scripts, and I’ve created mine into a .net console app called from a pair of .bat files. Thank you for suggesting the other options, but I’m sticking to my solution - please don’t ask me to change to another solution; it doesn’t help at all.

I’ve tested the batch files and ran them from the cmd. Both ran correctly. I’ve also manually triggered delete .bat file using data that was spewed out by the create script. It ran correctly. On both occasions, I have triggered the .bat files after doing a cd command to the Scripts\Common folder.

The above test seems to tell me that my delete script is not called by Certify. The log seems to support this.

What is your evaluation of the situation?

I am experiencing the same issue. I have two .bat files. The create is executed, the delete never is. It says it’s called, but it’s definitely not being run. When it calls the create script the log looks like this:

2019-02-08 11:01:00.854 -05:00 [INF] DNS: Creating TXT Record ‘_acme-challenge.’ with value ‘qhylJ7kdQfGjK3718cExvJii3Jcj9mDPIzjxSg22vjg’, in Zone Id ‘’ using API provider ‘(Use Custom Script)’
2019-02-08 11:01:02.078 -05:00 [INF] DNS: (Use Custom Script) ::
C:\Program Files\CertifyTheWeb>REM See https://docs.certifytheweb.com/docs/dns-validation.html for argument order and values

and the lines from the script and output it gets back

However, when it comes time to delete it looks like this - there is no detail on the script being run and the TXT record does not get deleted. The script works fine when run manually.

2019-02-08 11:02:03.940 -05:00 [INF] Domain validation completed:
2019-02-08 11:02:03.940 -05:00 [INF] DNS: Deleting TXT Record ‘_acme-challenge.’, in Zone Id ‘’ using API provider ‘(Use Custom Script)’
2019-02-08 11:02:05.295 -05:00 [INF] Requesting Certificate via Let’s Encrypt
2019-02-08 11:02:09.115 -05:00 [INF] Completed Certificate Request.
2019-02-08 11:02:09.152 -05:00 [INF] Performing Automated Certificate Binding
2019-02-08 11:02:10.238 -05:00 [INF] Completed certificate request and automated bindings update (IIS)
2019-02-08 11:02:11.733 -05:00 [INF] Request completed

It’s like it just chooses not to run. My scripts are both .bat files in the same directory.

Hi, the reason you don’t get log items is we fire the delete script async and don’t wait for it (as it can take a long time for some providers like AWS etc to actually confirm completion). You can however log to your own file.

I can confirm that if you use the example scripts (C:\Program Files\CertifyTheWeb\Scripts\DNS) and adjust them to log to a known folder that they do indeed get executed.