Submit-ACMECertificate : Access to the path is denied.

Question

Submit-ACMECertificate : Access to the path is denied.

alexhass opened this issue 7 years ago · 10 comments

I think I made everything correct, but nothing works. I'm Admiinistrator... no way that there is access denied.

> New-ACMECertificate -IdentifierRef 'www.example.com1' -Generate -Alias 'SAN1_www.example.com'

Id                       : [my id]
Alias                    : SAN1_www.example.com
Label                    :
Memo                     :
IdentifierRef            : [my ref]
IdentifierDns            : www.example.com
AlternativeIdentifierDns :
KeyPemFile               :
CsrPemFile               :
GenerateDetailsFile      : [myref]-gen.json
CertificateRequest       :
CrtPemFile               :
CrtDerFile               :
IssuerSerialNumber       :
SerialNumber             :
Thumbprint               :
Signature                :
SignatureAlgorithm       :
RevokedAt                :


> Submit-ACMECertificate 'SAN1_www.example.com'
Submit-ACMECertificate : Access to the path
'C:\ProgramData\ACMESharp\sysVault\45-KEYPM\[myref]-key.pem' is denied.
At line:1 char:1
+ Submit-ACMECertificate 'SAN1_www.example.com'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Submit-ACMECertificate], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,ACMESharp.POSH.SubmitCertificate

> Submit-ACMECertificate 'SAN1_www.example.com'
Submit-ACMECertificate : asset file already exists
At line:1 char:1
+ Submit-ACMECertificate 'SAN1_www.example.com'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Submit-ACMECertificate], IOException
    + FullyQualifiedErrorId : System.IO.IOException,ACMESharp.POSH.SubmitCertificate

Answer 1 · 2018-02-19T09:43:35.000Z

Let me note there is NO pem file on disk what may cause the misleading error message.

Answer 2 · 2018-03-24T14:06:29.000Z

same problem here ... makes it difficult to get cert if it's not being created in the vault :(

Answer 3 · 2018-03-27T04:12:04.000Z

Been having this issue for months but only on some machines, it seems the only workaround is to manually create the file.

Answer 4 · 2018-03-27T16:00:11.000Z

ummm ok - how do you manually create the file?

Answer 5 · 2018-03-28T01:50:35.000Z

Create a blank text file in the location.
Further to the above I suspect the issue is EFS as documented here - but I am not aware of it being disabled on the domain.

Creating a vault profile as described here with EFS off also works, but only with the latest version of ACMESharp.
https://pkisharp.github.io/ACMESharp-docs/Local-Vault-EFS.html

Answer 6 · 2018-07-03T23:02:34.000Z

Same problem here, with ACMESharp 0.9.1.326:

Submit-ACMECertificate -CertificateRef =9efg2a94-3k1h-8i62-3y0d-13lu2582p1e2
Submit-ACMECertificate : Access to the path
'C:\ProgramData\ACMESharp\sysVault\45-KEYPM\9efg2a94-3k1h-8i62-3y0d-13lu2582p1e2-key.pem' is denied.

And if I manually create the file and reattempt submitting the certificate:

New-Item 'C:\ProgramData\ACMESharp\sysVault\45-KEYPM\9efg2a94-3k1h-8i62-3y0d-13lu2582p1e2-key.pem' -ItemType File

Directory: C:\ProgramData\ACMESharp\sysVault\45-KEYPM

Mode		LastWriteTime		Length		Name
----		-----------------	------		----
-a----		7/3/2018 6:42 PM	0		9efg2a94-3k1h-8i62-3y0d-13lu2582p1e2-key.pem

Submit-ACMECertificate -CertificateRef =9efg2a94-3k1h-8i62-3y0d-13lu2582p1e2
Submit-ACMECertificate : asset file already exists

Never mind, I got it working. At first, I misunderstood the earlier comments regarding EFS to indicate that a system with EFS enabled is symptomatic of the problem, when instead, EFS needs to be functioning for Submit-ACMECertificate to work correctly.

Answer 7 · 2018-07-24T19:49:58.000Z

Same issue - for me, EFS is enabled on all test machines and I still see this

Answer 8 · 2019-06-20T21:01:09.000Z

Hi,
As an alternative, you can create the file and then submit with the force flag...
In your case the following should work

New-Item 'C:\ProgramData\ACMESharp\sysVault\45-KEYPM\9efg2a94-3k1h-8i62-3y0d-13lu2582p1e2-key.pem' -ItemType File
Submit-ACMECertificate -CertificateRef =9efg2a94-3k1h-8i62-3y0d-13lu2582p1e2 -Force

Kind regards.

Answer 9 · 2019-11-06T18:04:19.000Z

I'm receiving the same error on a server 2012 R2 system.
"Submit-ACMECertificate : Access to the path
'C:\ProgramData\ACMESharp\sysVault\45-KEYPM\2d814b3a-6971-496b-966c-620db86c241a-key.pem' is denied."

No files are located in 'C:\ProgramData\ACMESharp\sysVault\45-KEYPM'. I am running in an admin powershell window and can create edit and read fails from the window in that path
The JSONs are in C:\ProgramData\ACMESharp\sysVault\40-KEYGN as expected

Answer 10 · 2019-11-07T17:38:23.000Z

Here's a bit of a more automated approach on @chaami 's comment.

$date = get-date -format yyyyMMddHHmmss
$alias = $cn + $date
New-ACMEIdentifier -Dns $cn -Alias $alias

then

$pempart = Get-ACMEIdentifier |where-object {$_.alias -match $date}|select-object ID
$pem = "C:\ProgramData\ACMESharp\sysVault\45-KEYPM\"+ $pempart.ID + "-key.pem"
new-item -path $pem -ItemType file

It doesn't have to be the date, but adding some type of unique identifier to the alias allows you to to grab that ID and automate the creation of the file