At the moment basspig.com isn’t bound to any certificate. I installed a certificate on ampexperts.com as that’s my income earning site, first.
Definately teh router and ISP connection are working, as those pages can be served http only.
I’m noticing that when I access my site with an android tablet, the tablet is prompting me to choose a certificate (as if the web site is asking the user to present a certificate that such user has the credentials to access the website!)
I looked into Windows Server a couple of years ago when I was struggling with the issue of only having SSL cert on one of my eight sites, but the cost of the subscription was something only corporations could afford.
I had heard there is a way to get one cert to cover all the websites, forgot what it was called… I knew this maybe 5-6 years ago… I did try making a cert that contained all 8 sites. Maybe that is causing the problem?
I’m on pretty much a zero budget. Can barely afford to keep paying for domain names as it is! I just want to get back to where I was 4 days ago, with 8 working websites.
Sure thing. I’ve thankfully graduated from the zero budget days but I remember it well.
The issue with being prompted for a client certificate is probably that client certificates has been switched on somewhere (i.e. the visitor for your website is expected to present their own certificate to authenticate themselves. Not usually what you want).
Ensure your SSL Settings option in IIS looks like this (for all sites):
Regarding having one cert to cover all sites, you can do it - you would manually add the domains to one managed certificate then just let the app automatically add/update https bindings based on the IIS bindings you already have matching the hostname form the certificates. This would work by default if all of your websites are already setup with http (hostname) bindings and responding on http. However, it doesn’t have much advantage and if one website goes down then the whole certificate would fail to renew due the one website not responding or resolving etc.
The (free) community edition of Certify The Web will start to nag you about registration after the first couple of managed certificates but it currently allows 10 managed certificates on the free version, you just have to ignore the nag screen. Each managed certificate can cover up to 100 domains.
The SSL Settings you snapshotted above was it! I did not realize that was affecting this if the checkbox was unchecked! I set to ignore and now the site is up.
I think I’ll stick with individual certs. Does that nag screen stop or interfere with automatic renewals? Sometimes the server runs unattended for up to a year or more, especially if I’m overseas. I can’t have it stop updating because of a need to click through a nag screen.
Well this solves one major problem out of dozens of smaller ones. I still need to get PHP working, find out why Web Platform Installer fails, and find out why Windows Image Backup always fails with a “not enough space” error on even an 8TB backup drive. That last one’s a priority because if I can’t image the drive and something goes wrong, I’ve lost four days of work setting this all up.
I’ve made some progress, in that I can generate certificates now through the NameCheap DNS thanks to enabling that feature at NameCheap that you mentioned.
However, I’m running into a new problem: when I add a certificate to another site, the last site I made secure becomes unsecure and browsing to it I get a warning that attackers may be trying to steal my information. When I look into it further, I see something about ampexperts.com is using basspig.com certificate. But I had made sure that ampexperts bindings were to the ampexperts certificate. Also when I added the next certificate, I got a warning that “at least one other site is using the same HTTPS binding” and that something would be overwritten.
One of the reasons I upgraded to Win 10 was so that I could take advantage of the ability to have more than one secure site. I seem to be doing something wrong here.
The nag about license will not interfere with renewals. All the managed certificates you have added will renew automatically as long as it knows which bindings to update. You can see which bindings it will update at the bottom of the Preview tab page.
For your bindings, you’re doing something odd possibly because you think it’s required. Don’t setup https bindings yourself, let the app do it for you. Remove any https bindings you have manually created (all sites), ensure each site has a normal http (port 80) binding with the hostname set and then use the app to Request Certificate for each site.
In all cases you can review the Preview tab to see which bindings will be updated (bindings are different to the domains on your certificate, you could have 2 domains on your certificate but the app can’t find any bindings to update due to no hostname set, therefore no https bindings will be added).
It’s ultra important that all https bindings in IIS use SNI (with hostname set) and do not have a specific IP address binding (use All Unassigned), otherwise that binding will steal the https certificate settings for all other sites sharing that IP. There are ways to work without SNI and use IP specific bindings, but only if you really understand that stuff and know why you’re doing it.
Apparently, I needed to check the box “require server name identification” to allow more than one cert.
However, I do get a warning that I need to configure a default SSL server for browsers that don’t support SNI. I don’t know how to do that.
Finally, if I enter the full qualified name with “www” in front, it loads. If I just type basspig (dot) com, the error “you don’t have permission to view this directory or page” occurs. How do I fix that?
Yes, Server Name Indication is the SNI I was referring to - try not to setup the https bindings yourself if you can avoid it and let the app do it for you instead. That way you can be sure that renewals will also update the correct bindings.
Ignore the IIS warning about creating a default SSL - that’s legacy stuff and it’s mostly irrelevant nowadays, enabling it will likely result in binding SSL conflicts. It dates back to the days before SNI where you basically needed your server to have multiple IP addresses in order to have multiple certificates.
You need a hostname binding in IIS (and a domain on your certificate) for every combination of website name.www.basspig.com is one hostname (a.k.a “subdomain” or subject alternative name), basspig.com is another and they both need to have bindings in IIS. You also need both of these names on your certificate.
Cool, after a couple of months check to ensure the certificates are renewing ok and the https bindings are being updated with the latest cert, after that it’s all good.
Yup, that’s always the thing… long term reliability. My old server had been tweaked to the point where it was totally fault tolerant (excepting power surge), so I didn’t have to touch it for several years and it just ran and ran.
Hopefully this new one will be as reliable. I’ll keep an eye on the certs.
Does this program need to be running, or is there a service installed that does the renewal in the background? Need to know if I should put the interface in the startup boot menu or not…
CTW has a service that always runs in the background. You only need to run the UI to configure things and to check up on how things are. There’s no requirement to run the UI on a regular basis. But it’s a good way to find out about program updates, etc.
As I feared, here it is about 3 months later and I get a dreaded e-mail stating that my renewals are failing.
When I first set this up anew in November, the “test” button produced successful results. Now it fails with a “failed to create DNS record” and something about that my domain is not managed by this account. Why did this break?
The SSL Certificate renewal has failed 9 times for the managed site ampexperts [www.ampexperts.com] on server AAM-SERVER. Please either check the configuration of this site or if you no longer require this certificate you can disable Auto Renew for this in the Certify SSL Manager app, on your web server."
“NameCheap DNS API (Deprecated) :: Failed to create DNS record _acme-challenge-test.www.ampexperts.com: Domain www.ampexperts.com is not managed by this account!”
I think I found the problem. Although dynamic DNS updates the A records, it doesn’t update the API access at my domain provider. My IP address changed this week after an overnight outage. I tried adding the new IP to the whitelist at my DNS’s API page and that seems to have corrected the problem.
EDIT: It looks like I spoke too soon. Two domains are still kicking back an error.
</ApiResponse>
at Certify.Providers.DNS.NameCheap.DnsProviderNameCheap.<InvokeApiAsync>d__40.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Providers.DNS.NameCheap.DnsProviderNameCheap.<InvokeGetApiAsync>d__39.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Providers.DNS.NameCheap.DnsProviderNameCheap.<GetZonesBatchAsync>d__36.MoveNext()
2022-02-24 10:18:11.606 -05:00 [ERR] DNS update failed: NameCheap DNS API :: Failed to create DNS record _acme-challenge.www.ampexperts.com: Domain www.ampexperts.com is not managed by this account!
2022-02-24 10:18:11.606 -05:00 [INF] Requesting Validation: www.ampexperts.com
2022-02-24 10:18:11.606 -05:00 [INF] Attempting Domain Validation: ampexperts.com
2022-02-24 10:18:11.606 -05:00 [INF] Registering and Validating ampexperts.com
2022-02-24 10:18:11.606 -05:00 [INF] Preparing automated challenge responses (ampexperts.com)
2022-02-24 10:18:11.606 -05:00 [INF] DNS: Creating TXT Record '_acme-challenge.ampexperts.com' with value 'jKTyfBGuNa689psTj_PE1oXn4N5EeIfRB3VZGOpN80Y', in Zone Id '' using API provider 'NameCheap DNS API'
2022-02-24 10:18:11.840 -05:00 [ERR] Failed to get a batch of domain zones.
System.Exception: NameCheap API method https://api.namecheap.com/xml.response?Page=1&PageSize=100&SortBy=NAME&ApiUser=Basspig&ApiKey=e4f57028102543fcb31ad549a9c16dcc&UserName=Basspig&Command=namecheap.domains.getList&ClientIp=24.151.102.80 returned an error status 'ERROR':
<?xml version="1.0" encoding="utf-8"?>
<ApiResponse Status="ERROR" xmlns="http://api.namecheap.com/xml.response">
<Errors>
<Error Number="1011150">Invalid request IP: 68.114.83.217</Error>
</Errors>
<Warnings />
<RequestedCommand />
<Server>PHX01APIEXT11</Server>
<GMTTimeDifference>--5:00</GMTTimeDifference>
<ExecutionTime>0</ExecutionTime>
</ApiResponse>
at Certify.Providers.DNS.NameCheap.DnsProviderNameCheap.<InvokeApiAsync>d__40.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Providers.DNS.NameCheap.DnsProviderNameCheap.<InvokeGetApiAsync>d__39.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Providers.DNS.NameCheap.DnsProviderNameCheap.<GetZonesBatchAsync>d__36.MoveNext()
2022-02-24 10:18:11.840 -05:00 [ERR] DNS update failed: NameCheap DNS API :: Failed to create DNS record _acme-challenge.ampexperts.com: Domain ampexperts.com is not managed by this account!
2022-02-24 10:18:11.840 -05:00 [INF] Requesting Validation: ampexperts.com
2022-02-24 10:18:11.840 -05:00 [INF] NameCheap DNS API :: Failed to create DNS record _acme-challenge.ampexperts.com: Domain ampexperts.com is not managed by this account!
2022-02-24 10:18:12.090 -05:00 [INF] NameCheap DNS API :: Failed to create DNS record _acme-challenge.ampexperts.com: Domain ampexperts.com is not managed by this account!
2022-02-24 10:18:12.090 -05:00 [INF] NameCheap DNS API :: Failed to create DNS record _acme-challenge.ampexperts.com: Domain ampexperts.com is not managed by this account!
2022-02-24 11:18:08.963 -05:00 [INF] Previous renewals failed: 12. Renewal will be attempted within 48hrs.
2022-02-24 12:18:08.962 -05:00 [INF] Previous renewals failed: 12. Renewal will be attempted within 48hrs.
2022-02-24 13:18:08.974 -05:00 [INF] Previous renewals failed: 12. Renewal will be attempted within 48hrs.
2022-02-24 13:54:30.617 -05:00 [INF] Previous renewals failed: 12. Renewal will be attempted within 48hrs.
2022-02-24 13:57:08.693 -05:00 [INF] One or more tests failed
2022-02-24 13:59:53.809 -05:00 [INF] One or more tests failed
2022-02-24 14:13:24.229 -05:00 [INF] One or more tests failed
2022-02-24 14:48:26.459 -05:00 [INF] Previous renewals failed: 12. Renewal will be attempted within 48hrs.
2022-02-24 14:52:20.169 -05:00 [INF] All Tests Completed OK
2022-02-24 14:52:28.626 -05:00 [INF] Previous renewals failed: 12. Renewal will be attempted within 48hrs.
Ok, I don’t understand why you’re posting this problem here though? If you’ve whitelisted your server IP at namecheap and it’s not working then you need to contact Namecheap no?
Because I don’t know what I’m doing. Apparently, the error was until Certify the Web re applied for the certs for those sites. I checked it today and all certs are green status. Apparently, when your IP address changes, it can take up to 48 hours for Certify to stop erroring out.
Yeah, my ISP’s IP address changed after an internet outage last week. That’s what caused all of this, apparently. It takes hours or days to propagate the new IP. I didn’t know that. At any rate, after updating the API at Namecheap, eventually, Certify The Web stopped producing errors. It was a delayed fix, which made me think there was a problem when there was not.
