CryptographicException: Keyset does not exist

[WouterTinus]

          but when i do a nev certificate i still get error

Error requesting certificate "[Manual] project.iztoknet.com"
System.Security.Cryptography.CryptographicException: Keyset does not exist
at System.Security.Cryptography.X509Certificates.StorePal.Export(X509ContentType contentType, SafePasswordHandle password)
at System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Export(X509ContentType contentType)
at PKISharp.WACS.DomainObjects.CertificateInfo..ctor(X509Certificate2Collection rawCollection)
at PKISharp.WACS.DomainObjects.CertificateInfoBc.GenerateInner(Pkcs12Store store, X509KeyStorageFlags flags)
at PKISharp.WACS.DomainObjects.CertificateInfoBc..ctor(Pkcs12Store store)
at PKISharp.WACS.Services.CertificateService.CreateAlternative(Byte[] bytes, String friendlyName, AsymmetricKeyParameter pk)
at PKISharp.WACS.Services.CertificateService.DownloadCertificate(AcmeOrderDetails order, String friendlyName, AsymmetricKeyParameter pk)
at PKISharp.WACS.Services.CertificateService.RequestCertificate(ICsrPlugin csrPlugin, Order order)
at PKISharp.WACS.OrderProcessor.GetFromServer(OrderContext context)

Originally posted by @iztokba in #2582 (comment)

[WouterTinus]

I'm not able to immediately reproduce this. Can you provide the full log?

[iztokba]

log-20240518.txt
here is the ful log

[WouterTinus]

It's a weird error that I can't really explain, but here is a build with a potential fix and also adding some more logging that might provide additional hints. Please try it if you get a chance.

https://ci.appveyor.com/project/WouterTinus/win-acme-s8t9q/builds/49841629/artifacts
EDIT: see below for build 1701.

[webprofusion-chrisc]

I wonder if the ephemeral key used in creating the temp pfx is being lost before the export somehow, I think you may need to PersistKeySet if using MachineKeySet (in your fallback) though as I think the export will try to read from disk not from memory. dotnet calls out to OS functions that are quite old: https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-pfxexportcertstore

[iztokba]

This version also does not work, when you want to renew the certificate, the error is still present.
The log document is attached
log-20240519.txt

[iztokba]

i see new error: The local system certificate with footprint fc 15 ee f6 66 2b c4 94 dc 26 bd ab 2f 85 d3 b4 58 e9 62 df is about to expire or has already expired.

mybe is this the problem

[WouterTinus]

dotnet calls out to OS functions that are quite old

Ugh, indeed. Dealing with X509Certificate2 and the like feels like crawling through broken glass sometimes because it's hiding so much from what happens in the background. I'm tempted to go full BouncyCastle for as much code as possible, but I'm also afraid of subtle edge cases that people have come to rely on. Perhaps that'd be a version 2.3 thing.

Anyway, I tried your suggestion of adding the PersistKeySet flag (which makes sense because we also do that for the actual store), so hopefully that solves @iztokba's issue. See build 1685: https://ci.appveyor.com/project/WouterTinus/win-acme-s8t9q/builds/49843242/artifacts

EDIT: see below for 1701.

[bieba]

I also have the same issue. The .1685 doesn't solve the problem.

[WouterTinus]

This seems to be a new bug introduced in 2.2.9, I'm revoking the release and gone back to testing.

[WouterTinus]

I'm currently working on a fix for this by moving to BouncyCastle as much as possible for certificate and key handling, only at the very final stages of the Certificate Store plugin it will be moved to Windows, hopefully keeping the "Bad Data" bug away while also not running into this error.

There's a lot of testing to be done yet with different store types and settings, but anyone feeling adventurous can try build 1688 here: https://ci.appveyor.com/project/WouterTinus/win-acme-s8t9q/builds/49844762/artifacts

EDIT: see below for 1701.

[bieba]

Thanks for trying to achieve a fix, but this isn't also working.

[VERB] Autofac: creating PluginBackend<IStorePlugin> scope with parent PluginBackend<ICsrPlugin>
 [VERB] W3SVC detected and running
 [VERB] FTPSVC detected and running
 [INFO] Store with CertificateStore...
 [INFO] Installing certificate in the certificate store
 [WARN] Error converting key to legacy CryptoAPI, using CNG instead.
 [VERB] System.Security.Cryptography.CryptographicException: Der Schlüsselsatz ist nicht vorhanden.
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at PKISharp.WACS.Plugins.StorePlugins.CertificateStoreClient.ConvertCertificate(X509Certificate2 original, X509KeyStorageFlags flags, String password)
 [DBUG] Open store WebHosting

And a little bit later:

EROR] (COMException) Unable to install certificate: Eine angegebene Anmeldesitzung ist nicht vorhanden. Sie wurde gegebenenfalls bereits beendet. (0x80070520)
 [DBUG] Exception details: COMException {ErrorCode=-2147023584, TargetSite=Void Execute(), Message="Eine angegebene Anmeldesitzung ist nicht vorhanden. Sie wurde gegebenenfalls bereits beendet. (0x80070520)", Data=[], InnerException=null, HelpLink=null, Source="Microsoft.Web.Administration", HResult=-2147023584, StackTrace="   at Microsoft.Web.Administration.Interop.IAppHostMethodInstance.Execute()\r\n   at Microsoft.Web.Administration.ConfigurationMethodInstance.Execute()\r\n   at Microsoft.Web.Administration.Binding.AddSslCertificate(Byte[] certificateHash, String certificateStoreName)\r\n   at Microsoft.Web.Administration.BindingManager.BindingTransaction.Commit()\r\n   at Microsoft.Web.Administration.BindingManager.Save()\r\n   at Microsoft.Web.Administration.ServerManager.CommitChanges()\r\n   at PKISharp.WACS.Clients.IIS.IISClient.Commit()\r\n   at PKISharp.WACS.Clients.IIS.IISClient.UpdateHttpSite(IEnumerable`1 identifiers, BindingOptions bindingOptions, Byte[] oldCertificate, IEnumerable`1 allIdentifiers)\r\n   at PKISharp.WACS.Plugins.InstallationPlugins.IIS.PKISharp.WACS.Plugins.Interfaces.IInstallationPlugin.Install(Dictionary`2 storeInfo, ICertificateInfo newCertificate, ICertificateInfo oldCertificate)\r\n   at PKISharp.WACS.OrderProcessor.HandleInstall(OrderContext context, ICertificateInfo newCertificate, CertificateInfoCache previousCertificate, Dictionary`2 storeInfo)"}

2.2.8.1635 isn't working also, at least I got the last error.

[WouterTinus]

Hi @bieba, thanks for testing. My current theory is that all this is triggered somehow (under some circumstances, unfortunately not on my own machine) by the password protection of the temporary certificates, so I've removed that in build 1690. Would you mind giving that a spin? https://ci.appveyor.com/project/WouterTinus/win-acme-s8t9q/builds/49846932/artifacts

EDIT: see below for 1701.

[bieba]

Nope :-/

[VERB] Autofac: creating PluginBackend<IStorePlugin> scope with parent PluginBackend<ICsrPlugin>
 [VERB] W3SVC detected and running
 [VERB] FTPSVC detected and running
 [INFO] Store with CertificateStore...
 [INFO] Installing certificate in the certificate store
 [WARN] Error converting key to legacy CryptoAPI, using CNG instead.
 [VERB] System.Security.Cryptography.CryptographicException: Der Schlüsselsatz ist nicht vorhanden.
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at PKISharp.WACS.Plugins.StorePlugins.CertificateStoreClient.ConvertCertificate(X509Certificate2 original, X509KeyStorageFlags flags, String password)
 [DBUG] Open store WebHosting

[INFO] Committing 1 https binding changes to IIS while updating site 9
 [EROR] (COMException) Unable to install certificate: Eine angegebene Anmeldesitzung ist nicht vorhanden. Sie wurde gegebenenfalls bereits beendet. (0x80070520)
 [DBUG] Exception details: COMException {ErrorCode=-2147023584, TargetSite=Void Execute(), Message="Eine angegebene Anmeldesitzung ist nicht vorhanden. Sie wurde gegebenenfalls bereits beendet. (0x80070520)", Data=[], InnerException=null, HelpLink=null, Source="Microsoft.Web.Administration", HResult=-2147023584, StackTrace="   at Microsoft.Web.Administration.Interop.IAppHostMethodInstance.Execute()\r\n   at Microsoft.Web.Administration.ConfigurationMethodInstance.Execute()\r\n   at Microsoft.Web.Administration.Binding.AddSslCertificate(Byte[] certificateHash, String certificateStoreName)\r\n   at Microsoft.Web.Administration.BindingManager.BindingTransaction.Commit()\r\n   at Microsoft.Web.Administration.BindingManager.Save()\r\n   at Microsoft.Web.Administration.ServerManager.CommitChanges()\r\n   at PKISharp.WACS.Clients.IIS.IISClient.Commit()\r\n   at PKISharp.WACS.Clients.IIS.IISClient.UpdateHttpSite(IEnumerable`1 identifiers, BindingOptions bindingOptions, Byte[] oldCertificate, IEnumerable`1 allIdentifiers)\r\n   at PKISharp.WACS.Plugins.InstallationPlugins.IIS.PKISharp.WACS.Plugins.Interfaces.IInstallationPlugin.Install(Dictionary`2 storeInfo, ICertificateInfo newCertificate, ICertificateInfo oldCertificate)\r\n   at PKISharp.WACS.OrderProcessor.HandleInstall(OrderContext context, ICertificateInfo newCertificate, CertificateInfoCache previousCertificate, Dictionary`2 storeInfo)"}
 [EROR] Renewal for [IIS] XXX, (any host) failed, will retry on next run
 [EROR] Install failed: Eine angegebene Anmeldesitzung ist nicht vorhanden. Sie wurde gegebenenfalls bereits beendet. (0x80070520)

Regarding the last error, maybe a idea:
Currently I'm thinking that the session is resetted, maybe you're throwing the last instance of the server manager away, because you catched a exception (and your Refresh()-method gets called) and the new instance doesn't know anything about the past?

I have been looking at the certificates, they have not the exportable property set, is that necessary? I didn't change anything and because of another issue of a older version, I thought migration to a recent version would be a good idea.

It is a german localized windows server 2016.

[bieba]

Bigger problem. The client destroys the bindings which it wanted to update, because it can't assign the certificate. As I tried to choose it manually, I got the same error message. I had to rollback to the last working one.

Now the server has multiple corrupt certificates. I hope that this is not happen to many others.

[iztokba]

for me this version work super fine win-acme.v2.2.9.1688
thanks for help
if there be a new version i will tested it

[WouterTinus]

@iztokba: which Windows version are you on?
@bieba: the new version might not be able to recover from a certificate that was already corrupted by a previous buggy build. If you're still willing to test could you try creating a cert for a brand new domain?

[jshall]

@WouterTinus I got this same error.

In my case it seems to be that this version is not properly accounting for Transfer-Encoding: chunked.

While digging into it via Fiddler, in the ACME server response one of the certificates returned appeared to be corrupted until I use the "click to decode" option. I suspect that win-acme is also failing to do this decoding step and jumps straight to decoding the PEM data which has a chunk header right in the middle of the base64 data.

[bieba]

The customer has a important appointment tomorrow, I am allowed to give it a new try in the late evening, not now.
As I was able to rollback to a working one, I assume that I can start with that one?
If its still not working I start over with a new domain for testing purposes.

I come back with some news late tomorrow evening.

[iztokba]

i have winsrv2016 standard

[WouterTinus]

@jshall: to be clear, which error, which build of win-acme and which version of Windows?

[jshall]

Windows version: Microsoft Windows Server 2016 Standard (10.0.14393)
win-acme version: 2.2.9.1680 (release, pluggable, standalone, 64-bit)

win-acme log excert:

2024-05-20 15:03:28.646 -04:00 [INF] Downloading certificate dev-sql02
2024-05-20 15:03:28.651 -04:00 [DBG] [HTTP] Send POST to "https://ca-agent.indwes.edu/acme/cert/1da387e7-5ec0-42f7-94ed-140a5f028e76"
2024-05-20 15:03:28.651 -04:00 [VRB] [HTTP] Request content: {"protected":"eyJhbGciOiJFUzI1NiIsInVybCI6Imh0dHBzOi8vY2EtYWdlbnQuaW5kd2VzLmVkdS9hY21lL2NlcnQvMWRhMzg3ZTctNWVjMC00MmY3LTk0ZWQtMTQwYTVmMDI4ZTc2Iiwibm9uY2UiOiI2SWpvZnBBZGRYb0QyRURkbWtWS1NCZ0tuQjAiLCJraWQiOiJodHRwczovL2NhLWFnZW50LmluZHdlcy5lZHUvYWNtZS9hY2N0LzZhOWM3M2UxLTg3MDAtNDYyNy05NTQ3LTQ2YWQzNDFhYjQ2YiJ9","payload":"","signature":"fTKf_nMPkLb2A6QciHO6q92hir_QZeLZRSlNdWXusFgIgEgd6MLIQfihXpkqo3kRazYTzd6PlbE9eF8sZ3YIkQ"}
2024-05-20 15:03:28.900 -04:00 [VRB] [HTTP] Request completed with status "OK"
2024-05-20 15:03:28.900 -04:00 [VRB] [HTTP] Empty response
2024-05-20 15:03:28.905 -04:00 [VRB] Parsing PEM data at range 0..1902
2024-05-20 15:03:28.918 -04:00 [VRB] Certificate CN=dev-sql02.iwunet.indwes.edu parsed
2024-05-20 15:03:28.927 -04:00 [VRB] Associating private key
2024-05-20 15:03:28.929 -04:00 [VRB] Parsing PEM data at range 1905..4403
2024-05-20 15:03:28.930 -04:00 [VRB] Certificate C=US,O=Indiana Wesleyan University,OU=IT,CN=Indiana Wesleyan University EZCA parsed
2024-05-20 15:03:28.937 -04:00 [VRB] Parsing PEM data at range 4406..6596
2024-05-20 15:03:28.937 -04:00 [VRB] Certificate C=US,O=Indiana Wesleyan University,OU=IT,CN=Indiana Wesleyan University Root CA parsed
2024-05-20 15:03:29.192 -04:00 [ERR] Error requesting certificate dev-sql02
System.Security.Cryptography.CryptographicException: Keyset does not exist
   at System.Security.Cryptography.X509Certificates.StorePal.Export(X509ContentType contentType, SafePasswordHandle password)
   at System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Export(X509ContentType contentType)
   at PKISharp.WACS.DomainObjects.CertificateInfo..ctor(X509Certificate2Collection rawCollection)
   at PKISharp.WACS.DomainObjects.CertificateInfoBc.GenerateInner(Pkcs12Store store, X509KeyStorageFlags flags)
   at PKISharp.WACS.DomainObjects.CertificateInfoBc..ctor(Pkcs12Store store)
   at PKISharp.WACS.Services.CertificateService.CreateAlternative(Byte[] bytes, String friendlyName, AsymmetricKeyParameter pk)
   at PKISharp.WACS.Services.CertificateService.DownloadCertificate(AcmeOrderDetails order, String friendlyName, AsymmetricKeyParameter pk)
   at PKISharp.WACS.Services.CertificateService.RequestCertificate(ICsrPlugin csrPlugin, Order order)
   at PKISharp.WACS.OrderProcessor.GetFromServer(OrderContext context)
2024-05-20 15:03:29.194 -04:00 [VRB] Processing order 1/1: Main
2024-05-20 15:03:29.198 -04:00 [ERR] Create certificate failed
2024-05-20 15:03:29.199 -04:00 [VRB] Exiting with status code -1

raw Fiddler capture:

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/plain; charset=utf-8
Server: Microsoft-IIS/10.0
Request-Context: appId=cid-v1:8ee9a90b-1ca0-4224-aec2-61acb043f652
Replay-Nonce: 9fO0iM_DVr1WPegHlx5FAJSHL6U
Date: Mon, 20 May 2024 19:03:28 GMT

1000
-----BEGIN CERTIFICATE-----
MIIFQDCCAyigAwIBAgISSDYuE5PR5b3MzzlsZ1bBVGviMA0GCSqGSIb3DQEBCwUAMGsxCzAJBgNV
BAYTAlVTMSQwIgYDVQQKDBtJbmRpYW5hIFdlc2xleWFuIFVuaXZlcnNpdHkxCzAJBgNVBAsMAklU
MSkwJwYDVQQDDCBJbmRpYW5hIFdlc2xleWFuIFVuaXZlcnNpdHkgRVpDQTAeFw0yNDA1MjAxNzAz
MjhaFw0yNDA4MTcxOTAzMjhaMCYxJDAiBgNVBAMMG2Rldi1zcWwwMi5pd3VuZXQuaW5kd2VzLmVk
dTB2MBAGByqGSM49AgEGBSuBBAAiA2IABEnAcBZ4cTEkoB8BqStxg2pWQh1WRQpvaxFlVkbgnCNQ
zqpi+ZkwwYnJyU8riC3J5XZh2C3VEy1Fh5uwn8ThoUK7ROiMZ4AMKuqstWRicwxyVNFCMYgi5q41
TNU9oe320qOCAc8wggHLMB0GA1UdDgQWBBQfmIJqVJU57InO/sPzvJei8qFWWjAfBgNVHSMEGDAW
gBQgV5s7ke8XIQQhpJS2kSuZMT2w7jBeBggrBgEFBQcBAQRSMFAwTgYIKwYBBQUHMAKGQmh0dHA6
Ly9jZXJ0LmV6Y2EuaW8vY2VydHMvODEyYmIzMmEtZDExOC00ZDczLWJiZmMtMzlmODM2MTY5YTY3
LmNlcjBPBgNVHSUESDBGBggrBgEFBQcDAgYIKwYBBQUHAwEGCCsGAQUFBwMDBggrBgEFBQcDBAYI
KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBzBlBgNVHREEXjBcghtkZXYtc3FsMDIuaXd1bmV0
LmluZHdlcy5lZHWCCWRldi1zcWwwMoIhd2FyZWhvdXNldGVzdGRiLml3dW5ldC5pbmR3ZXMuZWR1
gg93YXJlaG91c2V0ZXN0ZGIwDgYDVR0PAQH/BAQDAgWgMGEGA1UdHwRaMFgwVqBUoFKGUGh0dHA6
Ly9jcmwuZXpjYS5pby9jcmxzLzViMzk0ZmY1LTMwMTYtNGZjMS1iYTE0LWJlZjUxZWU4ZGZlZi9J
bmRpYW5hV2VzbGV5YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4ICAQAdNwXz2u6OlJ0Cwji6jQlQ9H3h
w7jd4T8K9/6t28TtmyyNrcwhNma0bzk7UrhUeOEaIgm6QGRqQl4QI0XzF+EnaB/MIOYO2O1brsjk
IATY9yOzRmEYFflS4aWe0x+rIv9jLFdcrmvGKFR2ZqLu9iIhrDfy8CGVnShwu3vWtvdbHIdWXO3k
qhZF5rK/7MM5U7aCHzGLd6WPv6QkpHv/qpNfQ3dSdQGsx/ZTgJpyOlNQsiSrpk4+OJTAs2h49pZV
ZVAV9asecMaN0boRzGBH8ee4RCeZJlHyv6MVf0uUaZu4TRhnRX3jry6x2eCw0p7GaBeJbMVt/WvM
jQ0fxj/WfQSz5muqXmleGnVFA/N3SRB0IVBHIkGQfcC/CykNYzCr4fijzj8LTBBnikqZvg/LhXR+
n+ySbqKTtkTI/Rw15i1QdqMG/TdWRx8q+61UimBtj37VAuodpmwhiDQiJMxbCdSyl+3gkE2dqctX
O+ZecNy4oan0HXFsPe75TAHeYWVyNm/hftXobjIC9R74yfk3wH9zvLHrq9+0Ob+HU8AhZlpAch5j
OOvWZ5vwVx2SFPZgrcayrHqXE7qfblAmAIW0sokGdE+AKlTLzgd4hHb9qtdCmPah2q0IYo3YUuaN
KwcULZYBCoU/JGLwCP3SYXAD7T+oKieJpHAc4mvmsf1geLmRCQ==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIG8zCCBNugAwIBAgISN2ffX8oveG1xafWPYUqJlRb4MA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNV
BAYTAlVTMSQwIgYDVQQKDBtJbmRpYW5hIFdlc2xleWFuIFVuaXZlcnNpdHkxCzAJBgNVBAsMAklU
MSwwKgYDVQQDDCNJbmRpYW5hIFdlc2xleWFuIFVuaXZlcnNpdHkgUm9vdCBDQTAeFw0yNDA0MTIx
NDQ2MDNaFw0yOTA0MTIxNDM1MzZaMGsxCzAJBgNVBAYTAlVTMSQwIgYDVQQKDBtJbmRpYW5hIFdl
c2xleWFuIFVuaXZlcnNpdHkxCzAJBgNVBAsMAklUMSkwJwYDVQQDDCBJbmRpYW5hIFdlc2xleWFu
IFVuaXZlcnNpdHkgRVpDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKpbaHS6dBcx
w82h961uCADaieFuI7OFdet1wItMMXoCLyDBMPj9OiZiTtRXtejZts4gPT/MEncnf0Eh9IH98h88
cUSq1nol9ZiEGVpfvUWBD3/IsItuzN67RPmpXKC2GKYKBj7ogw4fFM9Rr0wA6K2BwTroc+oY+cTy
Zl0VVW0baLg2Ih+EnnurJCTqcOwAV8y8g2G4AaQ3Z/T2iHn0fqDkcaaIjmYFHw+K7QkFEr+Q8Bks
C/g5DuMLN3HwA/09uh1LL0AimgHrxgPpYHu8F0jwhTEkjFv1r9qhRTHgC0Z+hZuTwIFfmmK8vynl
4/t3ASHHO75dwvvcOL6MHLLwcdGp6IWK41iEe2m0D/AjDbkEdS3IL0wxZTM1pf3JWwIug7gNk5MM
kf1N2F7KpNSE0pSJG+TzqL9ZneCqF4fonZ/vy/rchAFpWsA0ZalCgSAdE1y7COrp+Am2CTQfpy8V
JWMmq/I46PHSD930D6ylO81ZsI3nvDMzhVTmZ9RQ3iZYkIWdJGnqhjfsBLd756rQWWY4MWQ3JvTi
NFGfOw5o4BoN1g3BEnWMcV0ua3KluQPiK2SPxgoxkC1qj+YyuDODsw5DAE2Mjqnf7grMt99BvGI3
RXmQBK3UnSMhDi4yLLZG6o/7F5p1P86LVS0fsQDNz0bGkglyvJdDpN5B30s4RjpFAgMBAAGjggGM
MIIBiDAdBgNVHQ4EFgQUIFebO5HvFyEEIaSUtpErmTE9sO4wHwYDVR0jBBgwFoAUPDrcmgWJbXhk
oyhaF2ekHHwrLaowXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJodHRwOi8vY2VydC5lemNh
LmlvL2NlcnRzLzA3OTA1NjIxLTUwMTQtNDI3MS04Y2E4LTVhNmYzMzZjZDk5YS5jZXIwEQYDVR0g
BAowCDAGBgRVHSAAMA4GA1UdDwEB/wQEAwIBpjBPBgNVHSUESDBGBggrBgEFBQcDAgYIKwYBBQUH
AwEGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBzBhBgNV
HR8EWjBYMFagVKBShlBodHRwOi8vY3JsLmV6Y2EuaW8vY3Jscy8zMzYzOWUzNy0xYTg2LTRlNDYt
OWQ3NC1jYmExYjk3NTRmM2EvSW5kaWFuYVdlc2xleWFuLmNybDAPBgNVHRMBAf8EBTADAQH/MA0G
CSqGSIb3DQEBCwUAA4ICAQAMZdTrmIEd2Ii6BM0nVsz3Apu72sGBXaTYl6G0sq+m63+Sih+va7Ky
ak26ylfBNZzA//wX4oE8zjxC4OnERr1p1pOAq8STYaql3/9EsZO6d4fwjTOmtGVfsjrO1ph/KFbH
CHyf/6Y0Hlvu3n70VkROGY7MUr8AtnCNTpk3jJ7BvqTtSPCItgddmUAmbsJGT8pdQNuxlfW4y3Ic
ZUNGMEFxJNbFan8lIbZDEAc9Eo/nL6YYpssoTgVJhODmxiumuZaVCXLJoODe/oc/UPWWmHwgUA/1
N/qn4LsmUfKq4p5157UDYsBzxiatOSgYeV+4wEn2GrfNNhgCezdmPsYKIeSvM7zng7CmVMYnGwx0
hQux02puIdyh2tiy1TMfjim6RB36l9S4PIicS362tnkOKhkZQvVl3ukN
9c6
vEwAwxjR46UTNmhcuwS9
wfz3sFjzMzOAKakHR/NOOIREEmmWSOYuCb/UbroEN3kBU+1UNtu/mV6Ztx3tvurQEFqK1Ovz20By
9TXOo+ZgvUrj3IbdC+ZbYtP0tndDj803e0IPrvyjMpNkZyb7qTwMpOtpkteSB8JFd81srpJMp9bW
tMiw0wa8E/0Kg/iXF3G2pxlZjrdangRqMJNowEWfSZNpQJPNuo3nXY46KDAY3Fvlc4fGglbmCMHr
ySvTEJU5PQCZj+ngoP+M7A==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgITAK/MetKszG8Wg1GgO48fqSHCuDANBgkqhkiG9w0BAQsFADBuMQswCQYD
VQQGEwJVUzEkMCIGA1UECgwbSW5kaWFuYSBXZXNsZXlhbiBVbml2ZXJzaXR5MQswCQYDVQQLDAJJ
VDEsMCoGA1UEAwwjSW5kaWFuYSBXZXNsZXlhbiBVbml2ZXJzaXR5IFJvb3QgQ0EwHhcNMjQwNDEy
MDAwMDAwWhcNMzQwNDEyMDAwMDAwWjBuMQswCQYDVQQGEwJVUzEkMCIGA1UECgwbSW5kaWFuYSBX
ZXNsZXlhbiBVbml2ZXJzaXR5MQswCQYDVQQLDAJJVDEsMCoGA1UEAwwjSW5kaWFuYSBXZXNsZXlh
biBVbml2ZXJzaXR5IFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC2xvCL
l2J1hgu0eRpUzSNVRO+a+R5Ckl744D17fDz/XXg1yybA5BRZcfWNrsRu+4fjIC6R6bTDLKdrbp4V
JMyu8cssoymEAvy2iVZ8yt6s05nX5FY6MCdVg2OajYqpgJ9M7KA5UxPWwya6HfWz1UEsvTZ/nk1A
EMVisbeGipZxpjx5qpY356hJ+S8+0iGxkTD1Mb0+ZOlK6ats0iuTSoZ6T93u75OYpFdmZs111ARx
znqv+Xq3tMVAxnGx4wgOOU/PSVNoGl88DgLckQrW3JqaItA4hAFzb3xslIELqaSKua+mfPAo00H8
rKDSE59NJymVqq6XzNE6hUo+SsvFuQZ+XXQTO7IdtxkCTyQu53PNslwrL0q/TWQDnrUHY/Qbo2gH
vFJAQD+uHn2uaC5DszaP8FZUx8EK8S0g2OUejiQJfXRurodCsLBA+0H5xlABGRoc1TotgcNUTvHK
k6BQuBd8ps4M5RlPbAIH1VbZ5YOZHKscTyh8uaLR+OczGLfAg4i27XETNKoaNRqhKtpmPaA1E0pU
yVborO1wT7ucJ1Vl6HhVo/n6Q8R42Q3qUzmp9iKE03cBzLesYaizYskfuDr1gnl5TnlNV4lpaf83
Fxw1qQWjafMTbxlBttVNLrFgOBEF69pzdkXUyHmqdX0sSZl3N81NzEM8R5ORD6dhgvFdMwIDAQAB
o4GpMIGmMB0GA1UdDgQWBBQ8OtyaBYlteGSjKFoXZ6QcfCstqjAOBgNVHQ8BAf8EBAMCAaYwZAYD
VR0lBF0wWwYIKwYBBQUHAwIGCCsGAQUFBwMBBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMF
BggrBgEFBQcDBgYIKwYBBQUHAwcGCisGAQQBgjcUAgIGBysGAQUCAwUwDwYDVR0TAQH/BAUwAwEB
/zANBgkqhkiG9w0BAQsFAAOCAgEAoWtvIFLdR2PmL74HDXm7frCa+P61+3zH0JkR7vI+xW37B0Ai
Ydh0whZPYXKU/yWfQ2Y5ft9t+LiY+BR0zZxa8dfsYARklUeiYFq7qZMz5N9HVBnDDzaFa84GlPxe
rkx9kA1Fh9l4De5ua2OPZ8snot0EK8/9HfFJIFuQNxmPnZAqK/V0xRLQ4D+3BSQ51phvf96KSQhI
XJfRvQFk/9M7yQYUJH2mAHImA6BTrKw9gKxqSZunYxiJSOS/5AsDA3kMrFaN7m9UIzeawOvlq6dQ
6IIAVyZCs6k4KWiV+V+oOTfTni2fwsZBWF4va6LP5S5iCcVxuxzp3Zi0VD8AKfEih23Xp5dlb5u3
eTHts6F6qhg5MJg34zwYX6zStUnv990G+VAnB0EhAlAc4s5Sl1klQAC9sGYOpY3MzFd10XTJ66Qd
h0aSK/i8Mw9VQsODSTcDRwUCC2z+zmjAbhRHZLD36XplqLbGkvW0EEIFPBIBgAcg3jtBxYCthQY0
RthYkjfbSwaA+xy6LVDtTGTA9VGN6vPk77q7AF4liRaTeqz+H0FjtHPWnVw+0ncVKE8DjHLX2a/B
iKNBrvYihOMlV+v7DcEgaqVA7bjdRbM4TSelgRndwQoJ0EJwjcy+HMiThKaqkFrdGBXnxkr9E3at
btUK9CQkVXXUE5FDNjWBh/WxofE=
-----END CERTIFICATE-----

0

[WouterTinus]

So I managed to get my hands on a Windows 2016 machine and was able to reproduce and fix the issue. Build 1700 is now available from https://ci.appveyor.com/project/WouterTinus/win-acme-s8t9q/builds/49859984/artifacts and should work for everyone. It will be released as version 2.9.1 in a couple of days if I don't hear reports to the contrary.

EDIT: see below for 1701.

[jshall]

Thanks! I can confirm that build 1700 worked for me as well.

[jshall]

I missed it at first, but another bug popped up. The log does not directly indicate an error, but the CertificateStore plugin did not actually add the new certificate to the Windows certificate store.

2.2.8.1635:

2024-05-21 18:42:50.679 -04:00 [VRB] Autofac: creating PluginBackend<IStorePlugin> scope with parent PluginBackend<ICsrPlugin>
2024-05-21 18:42:50.685 -04:00 [VRB] No W3SVC detected
2024-05-21 18:42:50.685 -04:00 [VRB] No FTPSVC detected
2024-05-21 18:42:50.686 -04:00 [DBG] Certificate store name: My
2024-05-21 18:42:50.687 -04:00 [INF] Store with CertificateStore...
2024-05-21 18:42:50.690 -04:00 [INF] Installing certificate in the certificate store
2024-05-21 18:42:50.691 -04:00 [DBG] Opened certificate store My
2024-05-21 18:42:50.691 -04:00 [INF] Adding certificate dev-sql02 @ 2024-05-21 to store My
2024-05-21 18:42:50.691 -04:00 [VRB] CN=dev-sql02.iwunet.indwes.edu - CN=Indiana Wesleyan University EZCA, OU=IT, O=Indiana Wesleyan University, C=US (D04A1AA51E861B56C0F1CF70D215EE539BAFB540)
2024-05-21 18:42:50.692 -04:00 [DBG] Storing certificate with flags "MachineKeySet, PersistKeySet"
2024-05-21 18:42:50.775 -04:00 [DBG] Closing certificate store
2024-05-21 18:42:50.786 -04:00 [VRB] CN=Indiana Wesleyan University EZCA, OU=IT, O=Indiana Wesleyan University, C=US - CN=Indiana Wesleyan University Root CA, OU=IT, O=Indiana Wesleyan University, C=US (405E0CEDB847985FE5C29F33CE600DF2468FEBBE) already exists in CA
2024-05-21 18:42:50.786 -04:00 [VRB] CN=Indiana Wesleyan University Root CA, OU=IT, O=Indiana Wesleyan University, C=US - CN=Indiana Wesleyan University Root CA, OU=IT, O=Indiana Wesleyan University, C=US (D5809A52EBE161D463673A2F2D585B2D68E5405E) already exists in CA
2024-05-21 18:42:50.786 -04:00 [DBG] Closing store CA

2.2.9.1700:

2024-05-21 18:38:11.679 -04:00 [VRB] Autofac: creating PluginBackend<IStorePlugin> scope with parent PluginBackend<ICsrPlugin>
2024-05-21 18:38:11.684 -04:00 [VRB] No W3SVC detected
2024-05-21 18:38:11.684 -04:00 [VRB] No FTPSVC detected
2024-05-21 18:38:11.686 -04:00 [INF] Store with CertificateStore...
2024-05-21 18:38:11.687 -04:00 [INF] Installing certificate in the certificate store
2024-05-21 18:38:11.880 -04:00 [INF] Adding certificate  in store CA
2024-05-21 18:38:11.880 -04:00 [VRB] CN=Indiana Wesleyan University EZCA, OU=IT, O=Indiana Wesleyan University, C=US/CN=Indiana Wesleyan University Root CA, OU=IT, O=Indiana Wesleyan University, C=US (405E0CEDB847985FE5C29F33CE600DF2468FEBBE)
2024-05-21 18:38:11.881 -04:00 [INF] Adding certificate  in store CA
2024-05-21 18:38:11.881 -04:00 [VRB] CN=Indiana Wesleyan University Root CA, OU=IT, O=Indiana Wesleyan University, C=US/CN=Indiana Wesleyan University Root CA, OU=IT, O=Indiana Wesleyan University, C=US (D5809A52EBE161D463673A2F2D585B2D68E5405E)

[WouterTinus]

Looks like certificates with EC keys were slipping through the cracks in the new control flow, there's a bugfix here:
https://ci.appveyor.com/project/WouterTinus/win-acme-s8t9q/builds/49861780/artifacts

[bieba]

.1701 tested. Works like a charm.

[WouterTinus]

Build 1701 has been release as version 2.2.9.1. Hopefully working for everyone now 👍