### Simple ACME Initial Unattended Setup with IIS Source: https://simple-acme.com/manual/advanced-use Provides a command line example for the initial unattended setup of Simple ACME on a clean server. It includes creating an account, accepting terms of service, and configuring IIS integration. ```command-line wacs.exe --source iis --siteid 1 --excludebindings exclude.me --emailaddress myaddress@example.com --accepttos ``` -------------------------------- ### Install simple-acme via .NET Global Tool Source: https://simple-acme.com/manual/installation Installs or updates simple-acme as a .NET Global Tool. Requires .NET 9.0 or later to be installed. Ensure the command prompt is run as an administrator. ```bash dotnet tool install simple-acme --global ``` ```bash wacs ``` ```bash dotnet tool update simple-acme --global ``` -------------------------------- ### WACS Command with Scripted Installation Source: https://simple-acme.com/manual/advanced-use/examples/apache This command demonstrates how to use WACS to generate a certificate and then use a custom script for installation. It specifies the source, host, validation method, webroot, installation type (script), the script name, and script parameters including the certificate destination folder and domain name. ```cmd wacs.exe --source manual --host www.example.com --webroot "C:\htdocs\www\example.com" --validation filesystem --installation script --script "installcert.cmd" --scriptparameters "acme-v02.api.letsencrypt.org C:\cert www.example.com" ``` -------------------------------- ### Batch Script for Certificate Installation and Apache Restart Source: https://simple-acme.com/manual/advanced-use/examples/apache This batch script automates the copying of certificate files (.pem) to a specified directory and restarts the Apache service. It takes the source certificate folder, destination folder, and domain name as parameters. ```batch @echo off if "%~1" == "" exit if not exist "%2" md "%2" >nul set certlist=%3-chain.pem,%3-key.pem echo Script running... for %%a in (%certlist%) do copy /y "%ProgramData%\simple-acme\%1\%%a" "%2\" >nul && echo. [INFO] Install %%a to Certificate Store in %2... OK || echo. [WARN] Install certificate %%a fieled! echo. [INFO] Restarting service... C:\Apache24\bin\httpd.exe -k restart echo. [INFO] Service restarted. echo. [INFO] Script finished. ``` -------------------------------- ### Install simple-acme via Chocolatey Source: https://simple-acme.com/manual/installation Installs or upgrades the simple-acme package using the Chocolatey package manager. Note that Chocolatey versions might lag behind official releases. ```bash choco install simple-acme ``` ```bash choco upgrade simple-acme ``` -------------------------------- ### Generate Certificate for Catch-all IIS Bindings (Unattended) Source: https://simple-acme.com/manual/advanced-use/examples/rds This command generates a certificate for blank/catch-all IIS bindings, explicitly specifying the domain name. It installs the certificate for IIS and a script, and requires the 'wacs.exe' client. ```bash wacs.exe --source manual --host rds.example.com --certificatestore My --installation iis,script --installationsiteid 1 --script "C:\scripts\ImportRDSFull.ps1" --scriptparameters "{CertThumbprint}" ``` -------------------------------- ### Apache VirtualHost Configuration for SSL Source: https://simple-acme.com/manual/advanced-use/examples/apache This snippet shows how to configure an Apache 2.4 virtual host to use SSL certificates obtained from WACS. It defines certificate and key file paths using custom Define directives and sets the SSLEngine to on. ```apache Define CERTROOT "C:/apache-certs" Define SITEROOT "C:/htdocs/www" .... ServerName www.example.com DocumentRoot "${SITEROOT}/example.com" .... SSLEngine on SSLCertificateFile "${CERTROOT}/example.com-chain.pem" SSLCertificateKeyFile "${CERTROOT}/example.com-key.pem" ``` -------------------------------- ### Simple ACME Unattended Certificate Creation (Manual Source) Source: https://simple-acme.com/manual/advanced-use Demonstrates how to create a new certificate using the manual source plugin in Simple ACME via the command line. This is a basic example of unattended operation. ```command-line wacs.exe --source manual --host www.domain.com ``` -------------------------------- ### Unattended Certificate Generation with PEM Files Source: https://simple-acme.com/manual/advanced-use/examples/apache This command generates certificates in PEM format for Apache using WACS in an unattended mode. It specifies the host, validation method (filesystem), webroot path, and the output path for PEM files. ```cmd wacs.exe --source manual --host www.example.com --validation filesystem --webroot "C:\htdocs\www\example.com" --store pemfiles --pemfilespath C:\apache-certs ``` -------------------------------- ### Troubleshooting Simple ACME Startup Errors Source: https://simple-acme.com/manual/system-requirements Provides common solutions for startup problems with Simple ACME, focusing on missing DLLs and runtime components. These often require installing specific Microsoft Visual C++ Redistributable updates or Windows update packages. ```text You may need to install Microsoft Visual C++ 2015 Redistributable Update 3 If you run into an error about `api-ms-win-crt-runtime-l1-1-0.dll` you may need KB2999226. If you run into an error about `hostfxr.dll` you may need KB2533623. If you run into an error like `Failure processing application bundle`, perhaps this thread might provide a solution. If the program doesn’t seem to start but an error like `Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy:App.AppXc99k5qnnsvxj5szemm7fp3g7y08we5vm.mca` appears in the Event Viewer this thread might provide a solution. ``` -------------------------------- ### Generate Certificate for IIS Bindings (Unattended) Source: https://simple-acme.com/manual/advanced-use/examples/rds This command generates a certificate for specific domain names configured in IIS bindings and installs it for IIS and a script. It requires the 'wacs.exe' client and assumes a site ID of 1. ```bash wacs.exe --source iis --siteid 1 --certificatestore My --installation iis,script --script "C:\scripts\ImportRDSFull.ps1" --scriptparameters "{CertThumbprint}" ``` -------------------------------- ### Configure Scheduled Task Start Time (simple-acme) Source: https://simple-acme.com/manual/automatic-renewal Sets the daily start time for scheduled certificate tasks. The format is a string representing time in HH:MM:SS format. ```configuration ScheduledTask.StartBoundary = "'09:00:00'" ``` -------------------------------- ### Unattended Certificate Generation for Exchange (Windows Certificate Store) Source: https://simple-acme.com/manual/advanced-use/examples/exchange This command generates a Let's Encrypt certificate for specified Exchange domains and installs it into the Windows Certificate Store. It also configures the certificate for IIS, SMTP, and IMAP services, and runs a post-installation script. The `‑‑acl-fullcontrol` flag is crucial for update compatibility. ```bash wacs.exe --source manual --host mail.example.com,webmail.example.com,autodiscover.example.com --certificatestore My --acl-fullcontrol "network service,administrators" --installation iis,script --installationsiteid 1 --script "C:\\simple-acme\\scripts\\ImportExchange.v2.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'" ``` -------------------------------- ### Adding CAA record for Let's Encrypt Source: https://simple-acme.com/manual/validation-problems A CAA record example to allow Let's Encrypt to issue certificates for a domain. This record is checked by ACME providers. ```dns example.com. CAA 0 issue "letsencrypt.org" ``` -------------------------------- ### JSON Encoded File Path Example Source: https://simple-acme.com/manual/advanced-use/secret-management Illustrates the requirement for JSON-encoded paths, specifically showing the double backslash escape for Windows paths. ```json "C:\\" ``` -------------------------------- ### Add Random Delay to Task Start (simple-acme) Source: https://simple-acme.com/manual/automatic-renewal Introduces a random delay before starting a scheduled task to spread server load and prevent `TooManyRequests` errors. The delay is configured as a string in HH:MM:SS format. ```configuration ScheduledTask.RandomDelay = "'04:00:00'" ``` -------------------------------- ### Configure Certificate Cache Path in Settings Source: https://simple-acme.com/manual/advanced-use/private-key-management This setting defines the directory path where Simple-ACME caches certificates, request files, and private keys. Paths should be JSON-encoded, for example, 'C:\\'. Ensure this path is not the same as the CentralSsl path if using that feature. ```ini [Cache] Path = "C:\\Users\\username\\.simple-acme\\Certificates" ``` -------------------------------- ### URL Rewrite Rule for ACME Validation Source: https://simple-acme.com/manual/iis-configuration This URL Rewrite rule creates an exception for the ACME challenge path in IIS, preventing it from being intercepted by other rewrite rules. It ensures that requests starting with '.well-known' are processed without further rewriting. ```xml ``` -------------------------------- ### Spread Certificate Renewal Load (simple-acme) Source: https://simple-acme.com/manual/automatic-renewal Defines a range of days subtracted from `RenewalDays` to distribute certificate renewals over time, minimizing service load and downtime. For example, if `RenewalDays` is 55 and `RenewalDaysRange` is 10, renewals will occur between 45 and 55 days. ```configuration ScheduledTask.RenewalDaysRange = 10 ``` -------------------------------- ### Create Anonymous Account (Command Line) Source: https://simple-acme.com/manual/account-management Demonstrates how to create an anonymous ACME account using command-line arguments. Requires agreeing to terms of service and providing an email address for notifications. ```bash --accepttos --emailaddress acme@example.com ``` -------------------------------- ### Simple ACME Command-Line Switch for IP Address Configuration Source: https://simple-acme.com/manual/system-requirements Demonstrates the command-line switch used to customize the IP address binding for Simple ACME certificates. This allows specifying a particular IP address instead of the default wildcard binding. ```bash ‑‑sslipaddress ``` -------------------------------- ### Unattended Certificate Generation for Exchange (Central Certificate Store) Source: https://simple-acme.com/manual/advanced-use/examples/exchange This command generates a Let's Encrypt certificate for Exchange domains and stores it in a Central SSL store, suitable for load-balanced environments. It configures the certificate for IIS and a post-installation script, specifying the store path and required permissions. ```bash wacs.exe --source manual --host mail.example.com,webmail.example.com,autodiscover.example.com --store centralssl,certificatestore --certificatestore My --acl-fullcontrol "network service,administrators" --centralsslstore "C:\\Central SSL" --installation iis,script --installationsiteid 1 --script "C:\\simple-acme\\scripts\\ImportExchange.v2.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'" ``` -------------------------------- ### win-acme command-line arguments Source: https://simple-acme.com/manual/validation-problems Explanation of command-line arguments for troubleshooting ACME validation with win-acme. --test enables testing behaviors and defaults to the ACME test endpoint. --verbose prints additional logs. --baseuri specifies the ACME server address. ```command-line ‑‑test | Enables testing behaviours in the program which may help with troubleshooting. By default this also switches the ‑‑baseuri to the ACME test endpoint. The default endpoint for test mode can be modified in settings.json. ``` ```command-line ‑‑verbose | Print additional log messages to console for troubleshooting and bug reports. ``` ```command-line ‑‑baseuri | Address of the ACME server to use. The default endpoint can be modified in settings.json. ``` -------------------------------- ### Create Externally Bound Account (Command Line) Source: https://simple-acme.com/manual/account-management Shows how to create an ACME account that is externally bound using command-line arguments. This method requires an EAB key identifier and the corresponding EAB key, and optionally a base URI for the ACME server. ```bash [--baseuri https://commercialca.com/acme/] --eab-key-identifier mykey --eab-key ***** ``` -------------------------------- ### Encrypt/Decrypt Configuration via Command Line Source: https://simple-acme.com/manual/advanced-use/encryption This command allows users to encrypt or decrypt the application's configuration files using the built-in utility. It's a straightforward way to manage the security of sensitive data like passwords stored in the configuration. Ensure the application's executable is accessible in your PATH or run from its directory. ```bash wacs.exe --encrypt ``` -------------------------------- ### Simple ACME Unattended Certificate Creation (IIS Source) Source: https://simple-acme.com/manual/advanced-use Shows how to create a certificate using the IIS source plugin, specifying a site ID and excluding specific bindings. This is useful for automating certificate management with IIS. ```command-line wacs.exe --source iis --siteid 1 --excludebindings exclude.me ``` -------------------------------- ### IIS and Validation Plugin Compatibility Source: https://simple-acme.com/manual/validation-problems Recommends using the default self-hosting validation plugin with IIS and warns against using other HTTP plugins due to potential issues. ```APIDOC ## IIS and Validation Plugin Compatibility ### Description It is recommended to use the default self-hosting validation plugin with IIS. Using other HTTP plugins, while suitable for servers like Apache, can lead to numerous issues when used with IIS, as detailed on this page. ### Method N/A (Software Configuration) ### Endpoint N/A ### Parameters N/A ``` -------------------------------- ### Configure UseNextGenerationCryptoApi in Settings Source: https://simple-acme.com/manual/advanced-use/private-key-management Enables the use of Cryptography API: Next Generation (CNG) for handling private keys instead of the legacy CryptoAPI. Enabling this may cause compatibility issues with older software or specific features like exporting from IIS Manager. ```ini [Store.CertificateStore] UseNextGenerationCryptoApi = true ``` -------------------------------- ### Testing ACME validation with wacs.exe Source: https://simple-acme.com/manual/validation-problems Run wacs.exe with --test and --verbose flags to observe validation in slow motion against the Let's Encrypt staging server. For production endpoint testing, also include --baseuri. ```command-line wacs.exe --test --verbose ``` ```command-line wacs.exe --test --verbose --baseuri https://acme-v02.api.letsencrypt.org/ ``` -------------------------------- ### Initial executable name: letsencrypt.exe Source: https://simple-acme.com/manual/about/simple-acme This refers to the initial name of the executable created by Bryan Livingston using the ACMESharp library. It was the primary client for Windows administrators before undergoing name changes. ```text letsencrypt.exe ``` -------------------------------- ### Manage Multiple Accounts Source: https://simple-acme.com/manual/account-management Supports using multiple accounts per server via the command line, allowing different renewals to use different accounts. ```APIDOC ## POST /account/manage ### Description Manages multiple ACME accounts for a single ACME endpoint. This feature is primarily accessible via the command line, allowing distinct accounts for different renewal processes. ### Method POST ### Endpoint /account/manage ### Parameters #### Query Parameters - **--account** (string) - Optional - Provides a name for the account, enabling management of multiple accounts for a single ACME endpoint. ### Request Example ``` # Example using command line argument # simple-acme --account primary-renewal --register ... # simple-acme --account secondary-renewal --register ... ``` ### Response #### Success Response (200) Account management operation successful. #### Response Example ```json { "message": "Account 'primary-renewal' configured successfully." } ``` ``` -------------------------------- ### Simple ACME Version Compatibility (.NET Framework) Source: https://simple-acme.com/manual/system-requirements Specifies compatible versions of Simple ACME for different .NET Framework versions on older Windows systems. These versions are no longer officially supported and may have known bugs. ```text .NET8 (should work on Windows 2012): version 2.3.0.1826 .NET7 (should work on Windows 2012): version 2.2.9.1 .NET6 (should work on Windows 2012): version 2.1.23 .NET5 (should work on Windows 2008): version 2.1.20 .NET4 (backup if above fails to run): version 2.0.12.1 ``` -------------------------------- ### Implementing Custom Notifications with C# Source: https://simple-acme.com/manual/notifications Extends simple-acme's notification capabilities by implementing the INotificationTarget interface in C#. This allows for custom notification channels like Slack, Discord, or Teams. No specific dependencies are required beyond a C# compiler and the simple-acme library. ```csharp public interface INotificationTarget { string Name { get; } Task SendNotificationAsync(NotificationType notificationType, string subject, string body); } ``` -------------------------------- ### DNS Validation Synchronization Source: https://simple-acme.com/manual/validation-problems Emphasizes the importance of synchronized name servers for DNS validation and the role of the pre-validation 'dry run'. ```APIDOC ## DNS Validation Synchronization ### Description ACME servers may query all your name servers, requiring them to be synchronized before challenge submission. The program performs a pre-validation 'dry run' to allow DNS changes to propagate. Fine-tune DNS validation plugins if the pre-validation fails. ### Method N/A (DNS Synchronization) ### Endpoint N/A ### Parameters N/A ``` -------------------------------- ### ACME Testing and Verbosity Source: https://simple-acme.com/manual/validation-problems Enables testing against Let's Encrypt staging or production servers and increases log output for detailed troubleshooting. ```APIDOC ## ACME Testing and Verbosity ### Description Run `wacs.exe` with the `--test` and `--verbose` parameters to monitor validation processes in detail. The `--test` flag uses the Let's Encrypt staging server, and `--baseuri` can be set to the production endpoint for testing against it. ### Method N/A (Command-line execution) ### Endpoint N/A ### Parameters #### Command-line Arguments - **`--test`** (flag) - Enables testing behaviors, typically switching to the ACME test endpoint. The default test endpoint can be modified in settings.json. - **`--verbose`** (flag) - Prints additional log messages to the console for troubleshooting and bug reports. - **`--baseuri`** (string) - Address of the ACME server to use. The default endpoint can be modified in settings.json. ``` -------------------------------- ### Create Anonymous Account Source: https://simple-acme.com/manual/account-management Initiates the account creation process for an anonymous account. Requires agreement to terms of service and an email address for notifications. ```APIDOC ## POST /account/create/anonymous ### Description Creates an anonymous ACME account. The process involves agreeing to terms of service and providing an email address for server-side notifications. ### Method POST ### Endpoint /account/create/anonymous ### Parameters #### Query Parameters - **--accepttos** (boolean) - Required - Automatically accept the ACME terms of service. - **--emailaddress** (string) - Required - Email address to associate with the ACME account for notifications. ### Request Example ``` POST /account/create/anonymous?--accepttos --emailaddress acme@example.com ``` ### Response #### Success Response (200) Account creation successful. Returns account details. #### Response Example ```json { "accountId": "12345", "accountUrl": "https://acme.example.com/acct/12345" } ``` ``` -------------------------------- ### Script Vault Argument Substitution Source: https://simple-acme.com/manual/advanced-use/secret-management Shows the supported variable substitutions for the Secrets.Script.GetArguments setting, which allows dynamic information to be passed to a secret retrieval script. ```text {key} {operation} {vault://vault/key} ``` -------------------------------- ### Custom Notification Targets Source: https://simple-acme.com/manual/notifications Developers can implement additional notification methods beyond email by implementing the `INotificationTarget` interface in C#. ```APIDOC ## Custom Notification Targets ### Description Implement additional forms of notification (e.g., Slack, Discord, Teams, Jira) by creating a C# class that implements the `INotificationTarget` interface. Contributions are welcome. ### Method N/A (Implementation detail) ### Endpoint N/A (Implementation detail) ### Parameters N/A (Implementation detail) ### Request Example N/A (Implementation detail) ### Response N/A (Implementation detail) ``` -------------------------------- ### Let's Encrypt Domain and Type Limitations Source: https://simple-acme.com/manual/validation-problems Outlines limitations imposed by Let's Encrypt regarding the number of domains per certificate and the type of domains that can be used. ```APIDOC ## Let's Encrypt Domain and Type Limitations ### Description Let's Encrypt has specific limitations: a maximum of 100 domain names per certificate (or 25 with the `tlsserver` profile) and it only supports domains on the public internet. Internal domains or Active Directory hostnames are not supported. ### Method N/A (Policy Limitation) ### Endpoint N/A ### Parameters N/A ``` -------------------------------- ### Configure File Log Output with Process ID (serilog.json) Source: https://simple-acme.com/manual/advanced-use/custom-logging This JSON configuration snippet demonstrates how to customize the output template for the file log sink in Serilog. It includes the log level, process ID, and message, with specific formatting for each element. This is useful for correlating log entries with specific process instances. ```json { "disk": { "WriteTo": [ { "Name": "File", "Args": { "outputTemplate": "[{Level:u3}] [PID:{ProcessId}] {Message:lj}{NewLine}{Exception}" } } ] } } ``` -------------------------------- ### Create Externally Bound Account Source: https://simple-acme.com/manual/account-management Creates an ACME account linked to an external service. Requires an EAB key identifier and the corresponding EAB key. ```APIDOC ## POST /account/create/external ### Description Creates an ACME account by binding it to an external account. Requires EAB key identifier and EAB key for authentication. ### Method POST ### Endpoint /account/create/external ### Parameters #### Query Parameters - **--baseuri** (string) - Optional - The base URI of the ACME server. Defaults to `settings.json` or a predefined Let's Encrypt URI. - **--eab-key-identifier** (string) - Required - The key identifier for external account binding. - **--eab-key** (string) - Required - The secret key for external account binding. Must be base64url encoded or a vault reference. - **--eab-algorithm** (string) - Optional - The algorithm for external account binding. Valid values: HS256 (default), HS384, HS512. ### Request Example ``` POST /account/create/external --baseuri https://commercialca.com/acme/ --eab-key-identifier mykey --eab-key "vault://json/mysecret" ``` ### Response #### Success Response (200) Account creation successful. Returns account details. #### Response Example ```json { "accountId": "67890", "accountUrl": "https://commercialca.com/acme/acct/67890" } ``` ``` -------------------------------- ### Cipher Suites and ACME Compatibility Source: https://simple-acme.com/manual/validation-problems Addresses potential communication issues with ACME API endpoints due to overly restrictive cipher suites configured on Windows systems. ```APIDOC ## Cipher Suites and ACME Compatibility ### Description Configuring strict cipher suites using tools like IISCrypto can sometimes break compatibility with ACME API endpoints and validation servers. If you experience communication problems, try more conservative settings and test API endpoint accessibility via a web browser on your server. ### Method N/A (System Configuration) ### Endpoint N/A ### Parameters N/A ``` -------------------------------- ### IPv6 Configuration for Validation Source: https://simple-acme.com/manual/validation-problems Addresses issues where Let's Encrypt checks IPv6 connectivity, and problems may arise if IPv6 is misconfigured or inaccessible, even if users don't experience it directly. ```APIDOC ## IPv6 Configuration for Validation ### Description If `AAAA` records are configured, Let's Encrypt checks IPv6 access. Since many networks fallback to IPv4, IPv6 reachability issues might not be apparent to end-users but can cause validation failures. Test your IPv6 connectivity. ### Method N/A (Network Configuration Check) ### Endpoint N/A ### Parameters N/A ``` -------------------------------- ### IIS Configuration for MVC and Static Content Source: https://simple-acme.com/manual/iis-configuration This configuration snippet for IIS is designed for MVC sites and aims to correctly handle static content and extensionless files during ACME validation. It clears existing handlers and MIME types to ensure 'text/json' is used for all files, and configures the StaticFile handler to process requests appropriately. ```xml ``` -------------------------------- ### Notification Settings Source: https://simple-acme.com/manual/notifications Configuration options for email notifications, including SMTP server details, sender information, and recipient addresses. Also includes an option to send notifications on successful renewals. ```APIDOC ## Settings for Notifications This section details the configuration parameters for email notifications. ### Settings - **`Notification.SmtpServer`** (string) - Required - SMTP server to use for sending email notifications. - **`Notification.SmtpPort`** (number) - Optional - SMTP server port number. Default: `25`. - **`Notification.SmtpUser`** (string) - Optional - User name for the SMTP server, in case of authenticated SMTP. - **`Notification.SmtpPassword`** (string) - Optional - Password for the SMTP server. Can be a literal password or a reference to a secret vault (e.g., `"vault://json/mysecret"`). - **`Notification.SmtpSecure`** (boolean) - Optional - Enable secure SMTP. Default: `false`. - **`Notification.SmtpSecureMode`** (number) - Optional - Controls the way the connection with the mail server is established. Possible values: `1` (Automatic), `2` (Implicit TLS), `3` (Explicit TLS - required), `4` (Explicit TLS - when available). Default: `1`. - **`Notification.SenderName`** (string) - Optional - Display name for the sender of notification emails. Default: `null` (equivalent to `{Client.ClientName}`). - **`Notification.SenderAddress`** (string) - Required - Email address to use as the sender of notification emails. - **`Notification.ReceiverAddresses`** (string[]) - Required - Email addresses to use as the sender of notification emails. Format: `["example@example.com"]` or `["example1@example.com", "example2@example.com"]`. - **`Notification.EmailOnSuccess`** (boolean) - Optional - Send notification emails on successful renewals. Default: `false`. - **`Notification.ComputerName`** (string) - Optional - Value to replace the computer machine name reported in emails. Default: `null`. ``` -------------------------------- ### DNSSEC Validation Source: https://simple-acme.com/manual/validation-problems Ensures proper DNSSEC configuration for certificate issuance, highlighting the need for a strict external observer's perspective. ```APIDOC ## DNSSEC Validation ### Description ACME providers validate your DNSSEC configuration. Issues here can prevent certificate issuance even if your browser doesn't show errors. Use tools like the Unbound DNS checker to verify your DNSSEC setup from an external viewpoint. ### Method N/A (Configuration check) ### Endpoint N/A ### Parameters N/A ``` -------------------------------- ### Add or Update Secret in JSON Vault (Command Line) Source: https://simple-acme.com/manual/advanced-use/secret-management Demonstrates how to add or update a secret in the JSON vault using the command-line interface. The secret is then accessible via a 'vault://json/mykey' URI. ```bash --vaultstore --vaultkey mykey --vaultsecret ***** ``` -------------------------------- ### CAA Records for Certificate Issuance Source: https://simple-acme.com/manual/validation-problems Explains the necessity of CAA records to authorize ACME providers, like Let's Encrypt, to issue certificates for a domain. ```APIDOC ## CAA Records for Certificate Issuance ### Description ACME providers check for valid CAA records. You must add a CAA record, such as `example.com. CAA 0 issue "letsencrypt.org"`, to your DNS server to permit certificate issuance. Use Let's Debug to verify your CAA record configuration. ### Method N/A (DNS Record Configuration) ### Endpoint N/A ### Parameters #### DNS Record Example - **Type**: CAA - **Name**: `example.com.` - **Value**: `0 issue "letsencrypt.org"` ``` -------------------------------- ### Add Global Validation Setting (CLI) Source: https://simple-acme.com/manual/advanced-use/global-validation Command-line arguments to create or update a global validation setting in Simple ACME. This overrides renewal-level settings and allows specifying patterns and priorities. ```bash win-acme.exe --globalvalidation --globalvalidationpriority 1 --globalvalidationpattern "*.example.com,test.*" ``` -------------------------------- ### Delete Account Source: https://simple-acme.com/manual/account-management Provides instructions on how to delete an ACME account by manually removing specific configuration files. ```APIDOC ## DELETE /account/delete ### Description Deletes an ACME account by manually removing the `Registration_v2` and `Signer_v2` files from the configuration path. This action does not affect existing renewals or certificates. ### Method DELETE ### Endpoint /account/delete ### Parameters #### Path Parameters - **configPath** (string) - Required - The file system path to the ACME client's configuration directory. ### Request Example ``` # Manual deletion process: # 1. Navigate to the configuration path. # 2. Delete 'Registration_v2' file. # 3. Delete 'Signer_v2' file. ``` ### Response #### Success Response (200) Account deletion instructions provided. Manual deletion required. #### Response Example ```json { "message": "To delete an account, manually remove 'Registration_v2' and 'Signer_v2' from the configuration directory." } ``` ``` -------------------------------- ### Configure PrivateKeyExportable in Settings Source: https://simple-acme.com/manual/advanced-use/private-key-management This setting, when enabled in the Simple-ACME configuration, allows private keys stored in the Windows Certificate Store to be marked as exportable. This facilitates the transfer of private keys to other machines. Note that this setting only applies to certificates issued after the change. ```ini [Store.CertificateStore] PrivateKeyExportable = true ``` -------------------------------- ### Final executable name: win-acme Source: https://simple-acme.com/manual/about/simple-acme The current and final name for the Windows ACME client. This name reflects the project's focus and branding after resolving trademark concerns. ```text win-acme ``` -------------------------------- ### Renamed executable: wacs.exe Source: https://simple-acme.com/manual/about/simple-acme Following a trademark issue with Let's Encrypt, the project's executable was renamed. This is the intermediate name before being further simplified. ```text wacs.exe ``` -------------------------------- ### Force Renewal with Simple-ACME CLI Source: https://simple-acme.com/manual/advanced-use/private-key-management This command forces Simple-ACME to renew certificates, useful for disaster recovery scenarios to obtain new certificates with exportable keys when existing ones are not. It's a command-line argument for the Simple-ACME executable. ```shell simple-acme --renew --force ``` -------------------------------- ### Modify Renewal via Command Line (Overwrite) Source: https://simple-acme.com/manual/renewal-management Modifying a renewal from the command line involves re-creating it. If a new configuration has the same friendly name as an existing renewal, the older settings are overwritten. Use the `--id` parameter to create unique certificates and prevent overwrites. ```bash # Example of overwriting an existing renewal with the same friendly name: simple-acme --webroot C:\\NewRoot # Example of creating a unique renewal to prevent overwrites: simple-acme --id "MyUniqueCert" --webroot C:\\NewRoot ``` -------------------------------- ### HTTP Validation Firewall Requirements Source: https://simple-acme.com/manual/validation-problems Details the requirement for port 80 to be open on firewalls for HTTP validation, as Let's Encrypt validation servers can originate from any IP address. ```APIDOC ## HTTP Validation Firewall Requirements ### Description HTTP validation occurs on port 80. Your firewalls must allow access to this port from any origin for the duration of the validation, as Let's Encrypt does not disclose specific IP ranges for its validation servers. ### Method N/A (Firewall Configuration) ### Endpoint N/A ### Parameters N/A ``` -------------------------------- ### Manual Renewal with Force and Verbose Options Source: https://simple-acme.com/manual/automatic-renewal Triggers a manual certificate renewal, forcing the process regardless of validity and providing verbose logging for troubleshooting. This is useful for testing the renewal mechanism and observing detailed output. ```bash simple-acme --renew --force --verbose ``` -------------------------------- ### Reuse Private Key with Simple-ACME CLI Source: https://simple-acme.com/manual/advanced-use/private-key-management This command-line option instructs Simple-ACME to reuse the existing private key for subsequent renewals of a certificate. This is useful for maintaining key consistency across certificate lifecycles. ```shell simple-acme --reuse-privatekey ``` -------------------------------- ### Revoke Certificate via Command Line Source: https://simple-acme.com/manual/renewal-management This command-line argument is used to revoke a certificate. Revocation is typically done when a private key is suspected of compromise, not for routine renewal or cancellation. ```bash # Example usage: simple-acme --revoke ``` -------------------------------- ### Configure Certificate Renewal Period (simple-acme) Source: https://simple-acme.com/manual/automatic-renewal Sets the number of days before a certificate expires to attempt renewal. It is advised not to set this too high due to Let's Encrypt's 90-day maximum validity. Lowering this value provides more time to fix renewal issues. ```configuration ScheduledTask.RenewalDays = 55 ``` -------------------------------- ### Configure Cache Reuse for Certificates (simple-acme) Source: https://simple-acme.com/manual/automatic-renewal Determines how many days a cached version of a previously requested certificate (with identical domain names) can be reused. Setting this to 0 disables reuse for renewals but not for other program needs. It also prevents storing private key material in the cache unless explicitly requested. ```configuration Cache.ReuseDays = 1 ``` -------------------------------- ### Cancel Renewal via Command Line Source: https://simple-acme.com/manual/renewal-management This command-line argument is used to cancel a certificate renewal. When executed, the program deletes the associated `.renewal.json` file, effectively stopping future automatic renewals. ```bash # Example usage: simple-acme --cancel ``` -------------------------------- ### Set Minimum Certificate Validity for Renewal (simple-acme) Source: https://simple-acme.com/manual/automatic-renewal Specifies the minimum number of days a certificate must remain valid before a renewal is attempted, regardless of the `RenewalDays` setting. This ensures certificates are renewed proactively. ```configuration ScheduledTask.RenewalMinimumValidDays = 7 ``` -------------------------------- ### Configure Cache Reuse Days in Settings Source: https://simple-acme.com/manual/advanced-use/private-key-management This setting controls how many days Simple-ACME will reuse a cached certificate and its private key for renewals. Setting it to 0 disables the reuse of cached files for renewals and ensures no private key material is stored in the cache unless explicitly requested via '--reuse-privatekey'. ```ini [Cache] ReuseDays = 0 ``` -------------------------------- ### Disable Server Schedule Suggestions (simple-acme) Source: https://simple-acme.com/manual/automatic-renewal When set to true, this option ignores suggestions from servers implementing ARI (Automated Certificate Issuance) to renew certificates earlier than the scheduled time. It is generally not recommended to disable this. ```configuration ScheduledTask.RenewalDisableServerSchedule = true ``` -------------------------------- ### Set Scheduled Task Execution Time Limit (simple-acme) Source: https://simple-acme.com/manual/automatic-renewal Configures the maximum duration a scheduled task can run before being terminated. This prevents tasks from hanging indefinitely. The format is a string representing time in HH:MM:SS format. ```configuration ScheduledTask.ExecutionTimeLimit = "'02:00:00'" ``` -------------------------------- ### Bypass Certificate Cache Source: https://simple-acme.com/manual/automatic-renewal Disables the certificate cache for both new certificate requests and renewals. This ensures that the program always requests a fresh certificate from the server, bypassing any locally stored cached versions. ```bash simple-acme --nocache ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.