Cannot find issuer for certificate
franklbt opened this issue ยท 16 comments
Extension Version: 1.0.6
When we try to generate new certificate with your extension we encounter an error :
Is there any configuration update to do on your side to continue using this extension ?
It seems we have the same issue since last Saturday on renewing our certificates.
Exception while executing function: Functions.RenewCertificate Microsoft.Azure.WebJobs.Host.FunctionInvocationException : Exception while executing function: Functions.RenewCertificate ---> Certes.AcmeException : Can not find issuer 'C=US,O=Internet Security Research Group,CN=ISRG Root X1' for certificate 'C=US,O=Let's Encrypt,CN=R3'. at Certes.Pkcs.CertificateStore.GetIssuers(Byte[] der) at Certes.CertificateChainExtensions.ToPem(CertificateChain certificateChain,IKey certKey) at async LetsEncrypt.Azure.Core.Services.AcmeService.RequestCertificate() at D:\a\1\s\LetsEncrypt.SiteExtension.Core\Services\AcmeService.cs : 61 at async LetsEncrypt.Azure.Core.CertificateManager.RequestInternalAsync(IAcmeConfig config) at D:\a\1\s\LetsEncrypt.SiteExtension.Core\CertificateManager.cs : 210 at async LetsEncrypt.Azure.Core.CertificateManager.RequestAndInstallInternalAsync(IAcmeConfig config) at D:\a\1\s\LetsEncrypt.SiteExtension.Core\CertificateManager.cs : 234 at async LetsEncrypt.Azure.Core.CertificateManager.RenewCertificate(Boolean skipInstallCertificate,Int32 renewXNumberOfDaysBeforeExpiration) at D:\a\1\s\LetsEncrypt.SiteExtension.Core\CertificateManager.cs : 176 at async LetsEncrypt.SiteExtension.Functions.RenewCertificate(TimerInfo timerInfo) at D:\a\1\s\LetsEncrypt.SiteExtension.WebJob\Functions.cs : 68 at async Microsoft.Azure.WebJobs.Host.Executors.VoidTaskMethodInvoker2.InvokeAsync[TReflected,TReturnType](TReflected instance,Object[] arguments)
at async Microsoft.Azure.WebJobs.Host.Executors.FunctionInvoker2.InvokeAsync[TReflected,TReturnValue](Object instance,Object[] arguments) at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.InvokeAsync(IFunctionInvoker invoker,ParameterHelper parameterHelper,CancellationTokenSource timeoutTokenSource,CancellationTokenSource functionCancellationTokenSource,Boolean throwOnTimeout,TimeSpan timerInterval,IFunctionInstance instance) at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithWatchersAsync(IFunctionInstance instance,ParameterHelper parameterHelper,TraceWriter traceWriter,CancellationTokenSource functionCancellationTokenSource) at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithLoggingAsync(??) at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithLoggingAsync(??) End of inner exception
Same here:
This is the thread from Lets Encrypt Forum for your information
My colleague and me forked the code and updated several libraries and also the .net version to be able to update the used Certes library.
Please see the pull request pointing to this issue.
We have updated our plugin, but it would be really nice if the pull request was merged and a new extension was published to the azure marketplace.
@wzoet - I did a similar thing a while back to enable using a newer version of the WebSites Management dll. The issue detailed above is a new problem that is coming down the line when Lets Encrypt make changes to the certificate chain. This will require Certes and Bouncy Castle changes from what I can make out as well.
@wzoet I tried upgrading the packages but couldn't get the certificate to upload to Azure anymore.
Got the following : BadRequest - At least one certificate is not valid (Certificate failed validation because it could not be loaded)
Not sure what package I shouldn't have updated but I had to roll back to keep production running.
Will need to go through them one at a time to figure out what happened using your pull request.
Really wish sjkp would help out on this. Great package,
@wzoet Thank-You! I was able to use your updates to successfully renew my certificate after getting the above error.
@wzoet, @joshualinde could you please share how to use this pull request to renew certificates on existing App Services? Is it needed to build and publish it as separate App Service Extension to nuget like here?
We moved all our certificates to Azure app service managed certificates. They are free now, so the use of this extension is somewhat deprecated.
App service managed certificates does exactly what this plugin does as well, but with certificates from another provider.
@wzoet Thank you, I somehow missed that App service managed certificates already supports naked domains.
Same challenge here. I also moved to managed certificates for app service.
Same issue, seems like somethings changed and the extension no longer works:
Microsoft.Azure.WebJobs.Host.FunctionInvocationException: Microsoft.Azure.WebJobs.Host.FunctionInvocationException : Exception while executing function: Functions.RenewCertificate ---> Certes.AcmeException : Can not find issuer 'C=US,O=Internet Security Research Group,CN=ISRG Root X1' for certificate 'C=US,O=Let's Encrypt,CN=R3'. at Certes.Pkcs.CertificateStore.GetIssuers(Byte[] der) at Certes.CertificateChainExtensions.ToPem(CertificateChain certificateChain,IKey certKey) at async LetsEncrypt.Azure.Core.Services.AcmeService.RequestCertificate() at D:\a\1\s\LetsEncrypt.SiteExtension.Core\Services\AcmeService.cs : 61 at async LetsEncrypt.Azure.Core.CertificateManager.RequestInternalAsync(IAcmeConfig config) at D:\a\1\s\LetsEncrypt.SiteExtension.Core\CertificateManager.cs : 210 at async LetsEncrypt.Azure.Core.CertificateManager.RequestAndInstallInternalAsync(IAcmeConfig config) at D:\a\1\s\LetsEncrypt.SiteExtension.Core\CertificateManager.cs : 234 at async LetsEncrypt.Azure.Core.CertificateManager.RenewCertificate(Boolean skipInstallCertificate,Int32 renewXNumberOfDaysBeforeExpiration) at D:\a\1\s\LetsEncrypt.SiteExtension.Core\CertificateManager.cs : 176 at async LetsEncrypt.SiteExtension.Functions.RenewCertificate(TimerInfo timerInfo) at D:\a\1\s\LetsEncrypt.SiteExtension.WebJob\Functions.cs : 68 at async Microsoft.Azure.WebJobs.Host.Executors.VoidTaskMethodInvoker2.InvokeAsync[TReflected,TReturnType](TReflected instance,Object[] arguments)
at async Microsoft.Azure.WebJobs.Host.Executors.FunctionInvoker2.InvokeAsync[TReflected,TReturnValue](Object instance,Object[] arguments) at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.InvokeAsync(IFunctionInvoker invoker,ParameterHelper parameterHelper,CancellationTokenSource timeoutTokenSource,CancellationTokenSource functionCancellationTokenSource,Boolean throwOnTimeout,TimeSpan timerInterval,IFunctionInstance instance) at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithWatchersAsync(IFunctionInstance instance,ParameterHelper parameterHelper,TraceWriter traceWriter,CancellationTokenSource functionCancellationTokenSource) at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithLoggingAsync(??) at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithLoggingAsync(??) End of inner exception at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithLoggingAsync(??) at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.TryExecuteAsync(IFunctionInstance functionInstance,CancellationToken cancellationToken)
I can merge it in, and make a new release, but I'm not going to do any extensive testing, as I'm not using the extension anymore.
Uploaded a new version, but didnt test it, let me know if it fixes anything.
@sjkp it worked the certificate renewed successfully after the update! Thank you!
@sjkp Thanks very much, this issue can be closed now I believe