Some feedback and questions


#1

Hi folks,

Congrats on creating an awesome piece of software. It has made my life a lot less stressful.

First off, some feedback that I’d like you to consider putting in as features of Certify.

  1. From this article, Delete old certificate on successful renewal, I understand that old certs are deleted 1 month after successful renewal. Can I suggest that you give the user a choice of when to delete the old certs. They can choose to delete immediately or up to 1 month from renewal.

  2. I look forward to having NameCheap included in the dns-01 as a built in registrar. However, until then,we still need to write scripts for it. Please consider enabling .ps1 as a script instead of just having .bat? Perhaps also allow to pass more than just the 3 standard command-line arguments to the script.

  3. Again for custom dns-1 scripts, please i consider making it into “plug in” type of environment. This way, we can create our own dlls and quickly integrate them your system.

Some questions

  1. In https://certifytheweb.com/register, you had mentioned “free for a limited number of managed certificates per server”, what is this limited number?

  2. I have more questions… but I can’t remember… ;(

Cheeries,
Peter.


#2

Hi Peter,

Thanks, I’m glad it’s working out well for you!

  1. The new beta version (link on the https://certifytheweb.com site) jsut released has a new set of certificate cleanup modes, these are currently global. The Full Cleanup option will regularly remove all [Certify] certs not currently referenced by managed certificates.
    2 & 3. The absolute best way to get a provider added is to develop the provider yourself as you suggest. Several of our API providers were contributed this way. You can see the other examples here: https://github.com/webprofusion/certify/tree/development/src/Certify.Providers/DNS - the priority though will probably be to focus on finding an alternative to using DNS APIs altogether and instead provider a managed CNAME redirection service (so you do a one-time DNS CNAME record creation and we manage that through our API via a dedicated DNS zone in AWS etc)

Regarding the limited number of managed certs, it was 5 and it’s currently 10 as an experiment. In the future I’d like to remove the limit altogether but we’ll see how it goes with 10. The vast majority of people using the app use the free version, but the vast majority are also businesses who want something reliable and maintained. It’s an interesting challenge!


#3

Hi hi… thanks for replying.

I remembered what my other question was.

I’ve developed a namecheap script that is now running somewhat smoothly, although it is still far from production quality. Below is the log from one of my cert requests.

2018-12-13 21:07:51.525 +08:00 [INF] Certify/4.0.12.0 (Windows; Microsoft Windows NT 6.2.9200.0)
2018-12-13 21:07:51.525 +08:00 [INF] Beginning Certificate Request Process: [domain name] using ACME Provider:Certes

2018-12-13 21:08:07.064 +08:00 [INF] Performing automated challenge responses ([domain name])
2018-12-13 21:08:07.065 +08:00 [INF] DNS: Creating TXT Record ‘_acme-challenge.[domain name]’ with value ‘9z9AiHNVZO7iSMY-_clLEMU-s6ZnEKX-ooDkAJxnLLY’, in Zone Id ‘’ using API provider ‘(Use Custom Script)’
2018-12-13 21:08:09.623 +08:00 [INF] DNS: (Use Custom Script)

<create script called here for _acme-challenge.[domain name]>

2018-12-13 21:08:09.623 +08:00 [INF] Requesting Validation from Let’s Encrypt: [domain name]
2018-12-13 21:08:09.623 +08:00 [INF] Attempting Domain Validation: www.[domain name]
2018-12-13 21:08:09.623 +08:00 [INF] Registering and Validating www.[domain name]
2018-12-13 21:08:09.623 +08:00 [INF] Performing automated challenge responses (www.[domain name])
2018-12-13 21:08:09.623 +08:00 [INF] DNS: Creating TXT Record ‘_acme-challenge.www.[domain name]’ with value ‘HP2SLP2XtCg_z9Goj9ZNgqt8n05ZlK2wo0SYjusFl5Y’, in Zone Id ‘’ using API provider ‘(Use Custom Script)’
2018-12-13 21:08:11.327 +08:00 [INF] DNS: (Use Custom Script)

<create script called here for _acme-challenge.www.[domain name]>

2018-12-13 21:08:11.328 +08:00 [INF] Requesting Validation from Let’s Encrypt: www.[domain name]
2018-12-13 21:09:11.569 +08:00 [INF] Attempting Challenge Response Validation for Domain: [domain name]
2018-12-13 21:09:11.569 +08:00 [INF] Registering and Validating [domain name]
2018-12-13 21:09:11.569 +08:00 [INF] Checking automated challenge response for Domain: [domain name]
2018-12-13 21:09:14.491 +08:00 [INF] Domain validation completed: [domain name]
2018-12-13 21:09:14.491 +08:00 [INF] DNS: Deleting TXT Record ‘_acme-challenge.[domain name]’, in Zone Id ‘’ using API provider ‘(Use Custom Script)’

<its not calling my delete script>

2018-12-13 21:09:15.741 +08:00 [INF] Attempting Challenge Response Validation for Domain: www.[domain name]
2018-12-13 21:09:15.741 +08:00 [INF] Registering and Validating www.[domain name]
2018-12-13 21:09:15.741 +08:00 [INF] Checking automated challenge response for Domain: www.[domain name]
2018-12-13 21:09:19.341 +08:00 [INF] Domain validation completed: www.[domain name]
2018-12-13 21:09:19.341 +08:00 [INF] DNS: Deleting TXT Record ‘_acme-challenge.www.[domain name]’, in Zone Id ‘’ using API provider ‘(Use Custom Script)’

<its not calling my delete script>

2018-12-13 21:09:20.556 +08:00 [INF] Requesting Certificate via Let’s Encrypt
2018-12-13 21:09:27.478 +08:00 [INF] Completed Certificate Request.
2018-12-13 21:09:27.517 +08:00 [INF] Performing Automated Certificate Binding
2018-12-13 21:09:28.617 +08:00 [INF] Completed certificate request and automated bindings update (IIS)
2018-12-13 21:09:29.612 +08:00 [INF] Request completed

I’ve noticed that the delete script is not being called. Is this a bug?

Peter.


#4

Hi Peter,
That could be a bug, however in my own tests it’s working fine as long as the path to the script files is correct. What makes you think it’s not calling the delete script? I assume the commented out log says that it is. The method used to call the create script and the delete script are the same


#5

Hi hi,

thanks again for replying. Below is my log file as image - the entire log file is filled with urls and the forum app don’t allow me to exceed 2 links :anguished:

As you can see, my script spews out a lot of debugging info which gets recorded into your log. The log has recorded the create debug info, but NOT the delete info. That’s what makes me think that the delete script is not being called.


#6

My bat files are located in “C:\Program Files\CertifyTheWeb\Scripts\Common”


#7

And my configuration is as below


#8

Thanks, that is weird. Note also that updating the app may delete all those files as part of the install so it’s not a safe place to keep them.


#9

So… do you reckon this is a bug? or is there something wrong with my script?

btw, my script is made up of 2 parts - the 2 .bat files and an .exe file. Where would you recommend to place the 2 files so that they don’t get deleted during upgrade process?


#10

On the powershell thing, I just wrote a small bat file to forward to a powershell script. You can set echo to meet your needs, but this allows easy use of powershell instead of more limited command line without much fuss.

echo off
set zone=%1
set value=%3
powershell -command "d:\certifyscript\dnsupdate.ps1 -zone \"%zone%\" -value \"%value%\""

#11

likewise you could use node or python etc, so there are lots of options. Note that when your script runs it will launch as the local SYSTEM account, not your user account.


#12

And if you need it to run as something other than Local System, you’ll need to alter the service user of the Certify service.


#13

Hi,

I’m aware that there are many options for creating the scripts, and I’ve created mine into a .net console app called from a pair of .bat files. Thank you for suggesting the other options, but I’m sticking to my solution - please don’t ask me to change to another solution; it doesn’t help at all.

I’ve tested the batch files and ran them from the cmd. Both ran correctly. I’ve also manually triggered delete .bat file using data that was spewed out by the create script. It ran correctly. On both occasions, I have triggered the .bat files after doing a cd command to the Scripts\Common folder.

The above test seems to tell me that my delete script is not called by Certify. The log seems to support this.

What is your evaluation of the situation?