Unable to renew cert

csalerno · December 8, 2021, 3:34pm

Overnight suddenly getting the below error.

2021-12-06 22:39:32.835 -08:00 [INF] ---- Beginning Request [WebScan] ----
2021-12-06 22:39:32.835 -08:00 [INF] Certify/5.4.3.0 (Windows; Microsoft Windows NT 10.0.19042.0)
2021-12-06 22:39:32.850 -08:00 [INF] Beginning Certificate Request Process: WebScan using ACME Provider:Certes
2021-12-06 22:39:32.850 -08:00 [INF] Requested identifiers to include on certificate: webscan.csitgroup.com
2021-12-06 22:39:32.850 -08:00 [INF] Beginning certificate order for requested domains
2021-12-06 22:39:33.690 -08:00 [INF] BeginCertificateOrder: creating/retrieving order. Retries remaining:2
2021-12-06 22:39:34.334 -08:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/130011098/45369486670
2021-12-06 22:39:35.058 -08:00 [INF] Fetching Authorizations.
2021-12-06 22:39:35.571 -08:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/47418557170/UcGjvA
2021-12-06 22:39:35.696 -08:00 [INF] Order authorizations already completed.
2021-12-06 22:39:35.696 -08:00 [INF] Requesting Certificate via Certificate Authority
2021-12-06 22:39:38.107 -08:00 [ERR] Certificate request process failed: System.Exception: Failed to build certificate as PFX. Check system date/time is correct and that the issuing CA is a trusted root CA on this machine (or in custom_ca_certs). :Certification path could not be validated.
at Certify.Providers.ACME.Certes.CertesACMEProvider.ExportFullCertPFX(String certFriendlyName, String pwd, IKey csrKey, CertificateChain certificateChain, String certId, String primaryDomainPath) in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Providers\ACME\Certes\CertesACMEProvider.cs:line 1484
at Certify.Providers.ACME.Certes.CertesACMEProvider.d__35.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Providers\ACME\Certes\CertesACMEProvider.cs:line 1251
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__17.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 945
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__16.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 737
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__14.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 444
System.Exception: Failed to build certificate as PFX. Check system date/time is correct and that the issuing CA is a trusted root CA on this machine (or in custom_ca_certs). :Certification path could not be validated.
at Certify.Providers.ACME.Certes.CertesACMEProvider.ExportFullCertPFX(String certFriendlyName, String pwd, IKey csrKey, CertificateChain certificateChain, String certId, String primaryDomainPath) in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Providers\ACME\Certes\CertesACMEProvider.cs:line 1484
at Certify.Providers.ACME.Certes.CertesACMEProvider.d__35.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Providers\ACME\Certes\CertesACMEProvider.cs:line 1251
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__17.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 945
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__16.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 737
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__14.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 444
2021-12-06 22:39:38.107 -08:00 [INF] WebScan: Request failed - Failed to build certificate as PFX. Check system date/time is correct and that the issuing CA is a trusted root CA on this machine (or in custom_ca_certs). :Certification path could not be validated. System.Exception: Failed to build certificate as PFX. Check system date/time is correct and that the issuing CA is a trusted root CA on this machine (or in custom_ca_certs). :Certification path could not be validated.
at Certify.Providers.ACME.Certes.CertesACMEProvider.ExportFullCertPFX(String certFriendlyName, String pwd, IKey csrKey, CertificateChain certificateChain, String certId, String primaryDomainPath) in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Providers\ACME\Certes\CertesACMEProvider.cs:line 1484
at Certify.Providers.ACME.Certes.CertesACMEProvider.d__35.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Providers\ACME\Certes\CertesACMEProvider.cs:line 1251
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__17.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 945
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__16.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 737
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__14.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 444
2021-12-06 22:39:38.107 -08:00 [INF] WebScan: Request failed - Failed to build certificate as PFX. Check system date/time is correct and that the issuing CA is a trusted root CA on this machine (or in custom_ca_certs). :Certification path could not be validated. System.Exception: Failed to build certificate as PFX. Check system date/time is correct and that the issuing CA is a trusted root CA on this machine (or in custom_ca_certs). :Certification path could not be validated.
at Certify.Providers.ACME.Certes.CertesACMEProvider.ExportFullCertPFX(String certFriendlyName, String pwd, IKey csrKey, CertificateChain certificateChain, String certId, String primaryDomainPath) in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Providers\ACME\Certes\CertesACMEProvider.cs:line 1484
at Certify.Providers.ACME.Certes.CertesACMEProvider.d__35.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Providers\ACME\Certes\CertesACMEProvider.cs:line 1251
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__17.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 945
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__16.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 737
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__14.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 444
2021-12-06 22:39:38.332 -08:00 [INF] WebScan: Request failed - Failed to build certificate as PFX. Check system date/time is correct and that the issuing CA is a trusted root CA on this machine (or in custom_ca_certs). :Certification path could not be validated. System.Exception: Failed to build certificate as PFX. Check system date/time is correct and that the issuing CA is a trusted root CA on this machine (or in custom_ca_certs). :Certification path could not be validated.
at Certify.Providers.ACME.Certes.CertesACMEProvider.ExportFullCertPFX(String certFriendlyName, String pwd, IKey csrKey, CertificateChain certificateChain, String certId, String primaryDomainPath) in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Providers\ACME\Certes\CertesACMEProvider.cs:line 1484
at Certify.Providers.ACME.Certes.CertesACMEProvider.d__35.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Providers\ACME\Certes\CertesACMEProvider.cs:line 1251
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__17.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 945
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__16.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 737
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__14.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 444

jljtgr · December 8, 2021, 7:59pm

My first guess is that this system does not have Let’s Encrypt’s new CA root. That root has to be trusted by your system in order to create a certificate chain based off of it.

My understanding is that the newest version of CTW will download this new root for you. If you don’t want to update CTW for some reason, you’ll have to download and install Let’s Encrypt’s new ISRG root manually.

csalerno · December 8, 2021, 8:18pm

I did download the latest CTW client V. 5.5.7
How can you tell of the CA Root is valid?

jljtgr · December 8, 2021, 9:43pm

Your error log stated you had an older CTW version… so that’s what I was going off of.

To check your CAs, run certmgr.msc and navigate to Trusted Root Certificate Authorities - Certificates. You will need to find one named ISRG Root X1.

csalerno · December 8, 2021, 10:19pm

ok, I found that cert, ISRG Root X1 & ISRG Root X2

What do I do with them?

jljtgr · December 8, 2021, 10:36pm

Hmm, so really… things check out. If you open https://valid-isrgrootx1.letsencrypt.org/ with Chrome, Edge or MSIE… then it should be successful.

The other hint in your error message is to make sure that your system clock is not far off. I guess you could use something like https://time.is/ to see.

webprofusion · December 9, 2021, 1:09am

Now you just need to click ‘Request Certificate’ for your managed certificate.

It seems like we are having quite a few users affected by this, these are people we were unable to notify in September because they were not registered customers.

csalerno · December 9, 2021, 1:09am

I checked both of your suggestions and both looked fine.

csalerno · December 9, 2021, 1:19am

also getting this when I attempt to access via a browser.

NET::ERR_CERT_DATE_INVALID

Subject: webscan.csitgroup.com

Issuer: R3

Expires on: Dec 7, 2021

Current date: Dec 8, 2021

webprofusion · December 9, 2021, 1:28am

If you have now renewed your certificate in Certify The Web then this certificate and binding should have been updated. Have you done that?

You should check the ‘Preview’ tab of your managed certificate in Certify The Web to ensure that the correct IIS https bindings will be updated, if they are not listed (at the bottom of the page) then you need to fix that immediately (ensure you have a hostname binding in IIS for the app to match the certificate against) otherwise your certificate is being renewed but not applied.

Later you should also investigate why your system did not automatically get the root certificate update in the first place, this is built into windows update so you have either disabled automaticac CA certificate updates (individually or through group policy) or your server is unable to contact the required windows update servers.

csalerno · December 9, 2021, 3:18pm

I forced a pending Windows server update, rebooted and from the CertifyTheWeb client, renewed and now it all working again. Thank you for everyones’ help.