Windows Server 2016 - SSTP VPN Issues


#1

Hi,

I am seeing a problem with SSTP VPN on Windows Server. In particular I’m using Windows Server 2016 Essentials but I think this would also apply to Windows Server 2016/2019.

The CTW client works well, and renews the certificate without issues. It also binds it correctly within IIS.
However - and this may be a limitation in Windows Server - the problem is that the SSTP VPN server in Windows Server 2016 (probably other versions) records the current certificate thumbprint expected by the SSTP listener in the registry, and drops the VPN connection if it doesn’t match. Since CTW doesn’t update the SSTP listener with the new thumbprint, it no longer matches IIS.

The solution is to manually update the registry key at HKLM > System > CurrentControlSet > Services > Sstpsvc > Parameters > Sha1CertificateHash.

Could the CTW renewal process also update this registry key and restart IIS (with the appropriate agreement from the administrator)? Otherwise, at every renewal, the SSTP VPN breaks.

NOTE: This doesn’t affect AnywhereAccess. It’s just the SSTP VPN.
Thanks,
Gary


#2

Hi Gary,

Short answer, yes!

Currently you would use a post-request powershell script to achieve this. In the next major update we are adding a whole stack of optional deployment tasks including the option to defer specific actions until you manually invoke them or schedule them as a task (for IT maintenance windows etc).

So to start with the post-request powershell scripting, check out https://docs.certifytheweb.com/docs/script-hooks.html

You need to check the ‘Show advanced options’ checkbox to see the scripting option, then you need to create a powershell scrpt that will perform the update you need.


param($result)   # accept the status info Certify passes into the script

# the certificate thumbprint is provided in the variable $result.ManagedItem.CertificateThumbprintHash
$result.ManagedItem.CertificateThumbprintHash # ex: "78b1080a1bf5e7fc0bbb0c0614fc4a18932db5f9"

# do something here with the thumbprint hash or other info
# ....
# ....

I don’t think you would need to restart IIS for the cert change if it’s using an IIS https binding, but SSTP is obviously a different thing altogether.

As mentioned above the upcoming deployment tasks feature will allow you to prepare these steps and automatically renew your cert while making the actual deployment a step something you can control directly if you want to (either push a button to run deployment or run a command), which is ideal for working within specific maintenance date/time windows.

Hope that helps.


#3

Excellent, thanks!

And you’re correct - it’s actually the RRAS service that requires a restart to pick up the changed certificate hash, not IIS. In this example, the option to defer the deployment would work really well, because it needs careful management to manually update the certificate hash and restart RRAS if your only access to the server is via that same SSTP VPN (including scheduling a server restart for 5 minutes, in case something hangs during the changes, to give the administrator an emergency recovery option). So, yes, the automated method would be 1) install the new cert 2) copy the hash to the SSTP SHA1 registry entry and 3) restart the RRAS service to pick up the change.

I’ll need to dust off my powershell textbooks…

Thanks for the prompt and knowledgeable reply.


#4

If you want to avoid auto updating any bindings just because the app has renewed the certificate you can currently choose ‘Certificate Store Only’ under Deployment > Deployment Mode.

This would have the advantage of just readying the next certificate for you to use (the previous one is still stored by default) but you would then need to dig a bit deeper into each services respective scripting to update the cert hash everywhere during deployment.

We do have a couple of example scripts bundled with the app but they generally need some edits for particular use cases: https://github.com/webprofusion/certify/tree/development/src/Certify.Shared/Scripts/Common

You may also be able to get some inspiration from some similar scripts from win-acme etc, although it’s not copy/paste as we already have our latest hash etc : https://github.com/PKISharp/win-acme/tree/master/dist/Scripts