Help with mscertsrv/ADCS & win-acme -- CAhandler.enroll() / _pkcs7_to_pem() failed

[ggilliom]

Hello,

I've made substantial progress in connecting win-acme to my internal microsoft CA server that uses ADCS through a2c's mscertsrv handler. Right now, I'm just trying to create a new certificate for an IIS site on my network via win-acme so that it can set up a renewal. win-acme is on Windows and a2c is on a linux machine.

I'm encountering an error in the CAhandler.enroll(<template>) method, specifically when it calls the self._pkcs7_to_pem(ca_pkcs7) method; below are a2c logs pertaining to this.

From a2c logs, it appears that a challenge validation is being passed/working properly before the logs are generated (http-01, I believe), that the mscertsrv CA handler is being properly accessed and run/used, and that

• CAhandler.__check_credentials() ended with True
• https://<host>/certsrv/certcarc.asp renewals == 0
• HTTP request to certsrv/certnew.p7b returns 'application/x-pkcs7-certificates' header
• all Certsrv config properties are loaded in properly from acme_srv.cfg

I also confirmed that certsrv is installed within the docker container.

Everything seems to run smoothly until the CAhandler._pkcs7_to_pem() method is called; I believe there's an issue happening where the data is attempting to be read as bytes into cryptography's load_pem_pkcs7_certificates() method but is being read as a string instead; this wouldn't make sense, though, because convert_string_to_byte is called before this.

I saw that in mscertsrv.md, the md4 algo in openssl.cfg must be allowed; my a2c host does not have an /etc/ssl/openssl.cnf file, only /etc/pki/tls/openssl.cnf, and it does not have the lines that the $ sed command relies on for text search/replacement.
I also confirmed that the internal CA is included in the ca_bundle file that the docker container is using, although it's a .crt file rather than a .pem file.

Any idea what might be going wrong with this, specifically the HTTP requests being made and the data that is supposed to be pulled from them? I was originally worried it was a ca-bundle issue, but it seems to be data parsing related as a result of something unexpected being returned by an API call.

win-acme logs after "Send POST to http://<host>:22280/acme/order/<order_id>/finalize" are located below the a2c logs I've provided.

I'm happy to share more logs or other information about the situation, should it be helpful. Looking forward to resolving this soon -- Thank you!

a2c LOGS

...
CAhandler.__check_credentials() ended with True
b64_url_recode()
<certsrv.get_chain starts here>
https://<host>:<port> "GET /certsrv/certcarc.asp HTTP/1.1" 200 19693
Sent GET request to https://<host>/certsrv/certcarc.asp, with headers:
User-agent: Mozilla/5.0 certsrv (https://github.com/magnuswatn/certsrv)
Cookie: <cookie>
Connection: Keep-Alive
and body:
None
Received response:
HTTP 200
< rest of response is massive .asp code that corresponds to what I see when I access this endpoint on my browser and view it from the developer console >
< (renewals line is 'var nRenewals=0;') >
https://<host>:<port> "GET /certsrv/certnew.p7b?ReqID=CACert&Renewal=0&Enc=b64 HTTP/1.1" 200 2905
Sent GET request to https://<host>/certsrv/certnew.p7b?ReqID=CACert&Renewal=0&Enc=b64, with headers:
<headers>
and body:
None
Received response:
HTTP 200
Content-Type: application/x-pkcs7-certificates
< code page header info >
<%  ' ########## BEGIN SERVER SIDE EXECUTION ##########
< code for processing a certificate request, or something; this is also called from the get_chain method on the line 'chain_response = self._get(chain_url, params=params) >
 ########## END SERVER SIDE EXECUTION ##########

CAhandler._pkcs7_to_pem()
CAhandler._pkcs7_to_pem(): load pem failed. Try der...
ca_server.get_chain() failed with error: argument 'data': 'str' object cannot be converted to 'PyBytes'
https://<host>:<port> "POST /certsrv/certfnsh.asp HTTP/1.1" 200 15918
Sent POST request to https://<host>/certsrv/certfnsh.asp, with headers:
< headers >

and body:
Mode=< long string >
Received response:
HTTP 200
Cache-Control: private
Content-Type: text/html
< other response data, massive webpage content and JS code; includes language like 'The certificate you requested was issued to you' >

https://<host>:<port> "GET /certsrv/certnew.cer?ReqID=274&Enc=b64 HTTP/1.1" 200 2400
Sent GET request to https://<host>/certsrv/certnew.cer?ReqID=274&Enc=b64, with headers:
User-agent: Mozilla/5.0 certsrv (https://github.com/magnuswatn/certsrv)
Cookie: ASPSESSIONIDAURDSATD=JCFDBFKBJLGJCDFJGPPPBCIA
Connection: Keep-Alive

and body:
None
Recieved response:
HTTP 200
Cache-Control: private
Content-Type: application/pkix-cert
Server: Microsoft-IIS/10.0
Set-Cookie: ASPSESSIONIDAURDSATD=KCFDBFKBKPEJHIINKILGLKDP; secure; path=/
Persistent-Auth: true
Date: Wed, 20 Mar 2024 20:42:14 GMT
Content-Length: 2400

-----BEGIN CERTIFICATE-----
<cert>
-----END CERTIFICATE-----

CAhandler._cert_bundle_create()
cert bundling failed
Certificate.enroll() ended
Certificate._enroll() ended
acme2certifier enrollment error: cert bundling failed
Certificate._enrollerror_handler(cert bundling failed)
Certificate._enrollerror_handler(): invalidating order as there is no certificate and no poll_identifier: cert bundling failed/oZMLwK3MlY6o
Certificate._order_update({'name': 'oZMLwK3MlY6o', 'status': 'invalid'})
order_update({'name': 'oZMLwK3MlY6o', 'status': 'invalid'})
DBStore._status_getinstance(name:invalid)
Certificate._store_cert_error(H8WwcCl4dTV6)
DBStore.certificate_add()
DBStore.certificate_add() ended with :15
Certificate._store_cert_error(15) ended
Certificate._enrollerror_handler() ended with: None
Certificate._pre_hooks_process(H8WwcCl4dTV6, oZMLwK3MlY6o
Certificate._post_hooks_process([])
Certificate._enroll_and_store() ended with: None:urn:ietf:params:acme:error:serverInternal
--- Logging error ---
Traceback (most recent call last):
  File "/usr/lib/python3.10/logging/__init__.py", line 1100, in emit
    msg = self.format(record)
  File "/usr/lib/python3.10/logging/__init__.py", line 943, in format
    return fmt.format(record)
  File "/usr/lib/python3.10/logging/__init__.py", line 678, in format
    record.message = record.getMessage()
  File "/usr/lib/python3.10/logging/__init__.py", line 368, in getMessage
    msg = msg % self.args
TypeError: not all arguments converted during string formatting
Call stack:
  File "/usr/local/lib/python3.10/dist-packages/django/core/handlers/wsgi.py", line 133, in __call__
    response = self.get_response(request)
  File "/usr/local/lib/python3.10/dist-packages/django/core/handlers/base.py", line 130, in get_response
    response = self._middleware_chain(request)
  File "/usr/local/lib/python3.10/dist-packages/django/core/handlers/exception.py", line 47, in inner
    response = get_response(request)
  File "/usr/local/lib/python3.10/dist-packages/django/utils/deprecation.py", line 117, in __call__
    response = response or self.get_response(request)
  File "/usr/local/lib/python3.10/dist-packages/django/core/handlers/exception.py", line 47, in inner
    response = get_response(request)
  File "/usr/local/lib/python3.10/dist-packages/django/utils/deprecation.py", line 117, in __call__
    response = response or self.get_response(request)
  File "/usr/local/lib/python3.10/dist-packages/django/core/handlers/exception.py", line 47, in inner
    response = get_response(request)
  File "/usr/local/lib/python3.10/dist-packages/django/utils/deprecation.py", line 117, in __call__
    response = response or self.get_response(request)
  File "/usr/local/lib/python3.10/dist-packages/django/core/handlers/exception.py", line 47, in inner
    response = get_response(request)
  File "/usr/local/lib/python3.10/dist-packages/django/utils/deprecation.py", line 117, in __call__
    response = response or self.get_response(request)
  File "/usr/local/lib/python3.10/dist-packages/django/core/handlers/exception.py", line 47, in inner
    response = get_response(request)
  File "/usr/local/lib/python3.10/dist-packages/django/utils/deprecation.py", line 117, in __call__
    response = response or self.get_response(request)
  File "/usr/local/lib/python3.10/dist-packages/django/core/handlers/exception.py", line 47, in inner
    response = get_response(request)
  File "/usr/local/lib/python3.10/dist-packages/django/utils/deprecation.py", line 117, in __call__
    response = response or self.get_response(request)
  File "/usr/local/lib/python3.10/dist-packages/django/core/handlers/exception.py", line 47, in inner
    response = get_response(request)
  File "/usr/local/lib/python3.10/dist-packages/django/core/handlers/base.py", line 181, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/var/www/acme2certifier/./acme_srv/views.py", line 212, in order
    response_dic = eorder.parse(request.body, request.META)
  File "/var/www/acme2certifier/./acme_srv/order.py", line 526, in parse
    (code, message, detail, certificate_name, order_name) = self._parse(protected, payload, header)
  File "/var/www/acme2certifier/./acme_srv/order.py", line 494, in _parse
    (code, message, detail, certificate_name) = self._process(order_name, protected, payload, header)
  File "/var/www/acme2certifier/./acme_srv/order.py", line 281, in _process
    (code, message, detail, certificate_name) = self._finalize(order_name, payload, header)
  File "/var/www/acme2certifier/./acme_srv/order.py", line 246, in _finalize
    (code, certificate_name, detail) = self._csr_process(order_name, payload['csr'], header_info)
  File "/var/www/acme2certifier/./acme_srv/order.py", line 317, in _csr_process
    (error, detail) = certificate.enroll_and_store(certificate_name, csr, order_name)
  File "/var/www/acme2certifier/./acme_srv/certificate.py", line 793, in enroll_and_store
    self.logger.debug('Certificate.enroll_and_store() ThreadWithReturnValue ended', certificate_name, order_name)
Message: 'Certificate.enroll_and_store() ThreadWithReturnValue ended'
Arguments: ('H8WwcCl4dTV6', 'oZMLwK3MlY6o')
Certificate.enroll_and_store() ended with: None:urn:ietf:params:acme:error:serverInternal
Order._csr_process() ended with order:oZMLwK3MlY6o 500:{urn:ietf:params:acme:error:serverInternal:None
Order._finalize() ended
Order._process() ended with order:oZMLwK3MlY6o 500:urn:ietf:params:acme:error:serverInternal:enrollment failed
Order._parse() ended with code: 500
Message.prepare_response()
Error.enrich_error()
Error.acme_errormessage(urn:ietf:params:acme:error:serverInternal)
Nonce.nonce_generate_and_add()
Nonce.nonce__new()
got nonce: c7772dd62a8a4ccba15ae000000e1980
DBStore.nonce_add(c7772dd62a8a4ccba15ae000000e1980)
Nonce.generate_and_add() ended with:c7772dd62a8a4ccba15ae000000e1980
Order.parse() returns: {"code": 500, "header": {"Replay-Nonce": "c7772dd62a8a4ccba15ae000000e1980"}, "data": {"status": 500, "type": "urn:ietf:params:acme:error:serverInternal", "detail": "enrollment failed"}}
10.80.64.234 /acme/order/oZMLwK3MlY6o/finalize {'code': 500, 'header': {'Replay-Nonce': '- modified -'}, 'data': {'status': 500, 'type': 'urn:ietf:params:acme:error:serverInternal', 'detail': 'enrollment failed'}}
Internal Server Error: /acme/order/oZMLwK3MlY6o/finalize

win-acme LOGS

...
Submitting CSR
 [DBUG] Waiting for order to get ready (1/15)
 [DBUG] [HTTP] Send POST to http://<host>:22280/acme/order/<order_id>
 [VERB] [HTTP] Request content: {"protected":"<protected>","payload":"","signature":"<signature>"}
 [VERB] [HTTP] Request completed with status OK
 [VERB] [HTTP] Response content: {"status": "ready", "expires": "2024-03-21T20:42:05Z", "identifiers": [{"type": "dns", "value": "<domain."}], "authorizations": ["http://<host>:22280/acme/authz/<authz>"], "finalize": "http://<host>:22280/acme/order/<order_id>/finalize"}
 [DBUG] [HTTP] Send POST to http://<host>:22280/acme/order/<order_id>/finalize
 [VERB] [HTTP] Request content: {"protected":"<protected>","payload":"<payload, a long string>","signature":"<signature>"}

[WARN] [HTTP] Request completed with status InternalServerError
 [VERB] [HTTP] Response of type null (99 bytes)
 [EROR] Error requesting certificate [IIS] demo, (any host)
ACMESharp.Protocol.AcmeProtocolException: Unexpected response status code [InternalServerError] for [FinalizeOrderAsync]
   at ACMESharp.Protocol.AcmeProtocolClient.SendAcmeAsync(String relativeUri, HttpMethod method, String message, HttpStatusCode[] expectedStatuses, String opName)
   at ACMESharp.Protocol.AcmeProtocolClient.SendAcmeAsync[TResponse,TRequest](String uri, JsonTypeInfo`1 requestType, JsonTypeInfo`1 responseType, HttpMethod method, TRequest message, HttpStatusCode[] expectedStatuses, Boolean includePublicKey, String opName)
   at ACMESharp.Protocol.AcmeProtocolClient.FinalizeOrderAsync(AcmeOrderDetails details, Byte[] derEncodedCsr)
   at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.<>c__DisplayClass1_0`1.<<Retry>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.Backoff[T](AcmeProtocolClient client, Func`1 executor, ILogService log, Int32 attempt)
   at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.Backoff[T](AcmeProtocolClient client, Func`1 executor, ILogService log, Int32 attempt)
   at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.Retry[T](AcmeProtocolClient client, Func`1 executor, ILogService log, Int32 attempt)
   at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.Retry[T](AcmeProtocolClient client, Func`1 executor, ILogService log, Int32 attempt)
   at PKISharp.WACS.Clients.Acme.AcmeClient.SubmitCsr(AcmeOrderDetails details, Byte[] csr)
   at PKISharp.WACS.Services.CertificateService.RequestCertificate(ICsrPlugin csrPlugin, Order order)
   at PKISharp.WACS.OrderProcessor.GetFromServer(OrderContext context)

[ggilliom]

In CAHandler.enroll(), the method ca_server.get_cert(...) is called, within which makes a _post method call and searches that POST response like:

req_id = re.search(r"certnew.cer\?ReqID=(\d+)&", response.text).group(1)

In a2c logs, I found the following that I believe corresponds to this:

<P>
    <Span ID=spnNotTrusted Style="display:none"><LocID ID=locNotTrusted>
   <Font Color=#FF0000>This CA is not trusted.</Font>  To trust certificates issued from this certification authority,
   <A Href="certnew.cer?ReqID=CACert&amp;Renewal=0&amp;Mode=inst&amp;Enc=b64"
           OnMouseOver="window.status='Install this CA certificate';return true;"
           OnMouseOut="window.status='';return true;"
   >install this CA certificate</A>
   </LocID></Span>
</P>

Is this referring to the internal CA that should be renewing my certificate? The name CACert does not match with the internal CA's name. Why might it not be trusted? It's included in the ca-bundle in acme_srv.cfg. What's determining that it's not trusted here?

I should also note that win-acme is requesting a certificate that's already been created by the CA, so enroll -> get_cert eventually calls get_existing_cert; a response is generated with cert data of content type application/pkix-cert.

So it seems that get_cert() works, but get_chain() fails, and as a resule, _cert_bundle_create(...) also fails, which invalidates the order.

So, I'm just not sure how to correct get_chain(). Any input would be appreciated -- thank you!

[grindsa]

Hi,

your assumption is right. The function _cert_bundle_create expects both ca-chain and certificate. Both will be fetched from the CA server and I see from the above logs that the request to fetch the ca chain failes with an error:

ca_server.get_chain() failed with error: argument 'data': 'str' object cannot be converted to 'PyBytes'

The ca_bundle file specified in acme_srv.cfg should contain the CA certificates validate the TLS certificate used by acme2certifier.

Can you please share the full log via email to grindelsack <at> gmail.com

Which windows server version are you running?

Further out of curiosity: why did you decide to use the mscertsrv handler instead of the WCCE one?

/G.

[ggilliom]

Hello,

Just sent you an email; I'll summarize briefly here.

I attached full logs to the email (win-acme portion seen below). I tried, as your suggested, to switch to the mswcce CA handler and it worked better -- I got past the issue I was having earlier once I provided proper config details in acme_srv.cfg (although, including target_domain and domain_controller kept giving errors, but removing both allowed for seemingly more success).

I'm running win-acme on a Windows Servers 2019 Datacenter version 1809 with sites hosted via IIS 10.

Now, the issue seems to be more win-acme related, where the certificate binding in IIS fails despite it being (seemingly) properly found. I've found a variety of forums/issues/discussions on win-acme's GitHub relating to this, but none of those solutions seem to be relevant to this specific case of using ADCS (rather than LE or ZeroSSL or another environment difference). Is this something you've encountered?

Let me know and thank you again for your promptness!

end of win-acme logs:

<PEM certificate data parsing>
...
[VERB] Certificate <certificate issuer/subject data>
 [DBUG] Certificate written to cache file <file.pfx> in certificate cache folder C:\ProgramData\win-acme\<a2c host>22280\Certificates. It will be reused when renewing within 1 day(s) as long as the --source and --csr parameters remain the same and the --force switch is not used.
 [VERB] Processing order 1/1: Main

 [--test] Store and install the certificate for order Main? (y*/n) - yes

 [VERB] Autofac: creating PluginBackend<IStorePlugin> scope with parent PluginBackend<ICsrPlugin>
 [VERB] W3SVC detected and running
 [VERB] FTPSVC detected and running
 [DBUG] Certificate store name: WebHosting
 [INFO] Store with CertificateStore...
 [WARN] Certificate with thumbprint <####> is already in the store <NOTE: this thumbprint is different from the one that I expected to be already in the store for the cert we're attempting to create via win-acme>
 [VERB] Autofac: creating PluginBackend<IInstallationPlugin> scope with parent PluginBackend<ICsrPlugin>
 [VERB] W3SVC detected and running
 [VERB] FTPSVC detected and running
 [INFO] Installing with IIS...
 [INFO] Updating existing https binding <domain>:443:<win-acme host IP> (flags: 1)
 [INFO] Committing 1 https binding changes to IIS while updating site 39
 [EROR] (COMException) Unable to install certificate: A specified logon session does not exist. It may already have been terminated. (0x80070520)
 [DBUG] Exception details: COMException {ErrorCode=-2147023584, TargetSite=Void Execute(), Message="A specified logon session does not exist. It may already have been terminated. (0x80070520)", Data=[], InnerException=null, HelpLink=null, Source="Microsoft.Web.Administration", HResult=-2147023584, StackTrace="   at Microsoft.Web.Administration.Interop.IAppHostMethodInstance.Execute()\r\n   at Microsoft.Web.Administration.ConfigurationMethodInstance.Execute()\r\n   at Microsoft.Web.Administration.Binding.AddSslCertificate(Byte[] certificateHash, String certificateStoreName)\r\n   at Microsoft.Web.Administration.BindingManager.BindingTransaction.Commit()\r\n   at Microsoft.Web.Administration.BindingManager.Save()\r\n   at Microsoft.Web.Administration.ServerManager.CommitChanges()\r\n   at PKISharp.WACS.Clients.IIS.IISClient.Commit()\r\n   at PKISharp.WACS.Clients.IIS.IISClient.UpdateHttpSite(IEnumerable`1 identifiers, BindingOptions bindingOptions, Byte[] oldCertificate, IEnumerable`1 allIdentifiers)\r\n   at PKISharp.WACS.Plugins.InstallationPlugins.IIS.PKISharp.WACS.Plugins.Interfaces.IInstallationPlugin.Install(Dictionary`2 storeInfo, ICertificateInfo newCertificate, ICertificateInfo oldCertificate)\r\n   at PKISharp.WACS.OrderProcessor.HandleInstall(OrderContext context, ICertificateInfo newCertificate, CertificateInfoCache previousCertificate, Dictionary`2 storeInfo)"}

 Create certificate failed, retry? (y/n*)

<if I retry, it just repeats>

end of a2c logs:

<authorization, challenge, and nonce checks all valid; configs loaded>
Nonce._check_and_delete() ended with:200
Nonce.check_nonce() ended with:200
Message._name_get()
kid: http://<a2c host>:22280/acme/acct/wyx5xt4xZZuo
Message._name_get() returns: wyx5xt4xZZuo
error_dict_get()
Signature.check(wyx5xt4xZZuo)
check signature against account key
Signature._jwk_load(wyx5xt4xZZuo)
DBStore.jwk_load(wyx5xt4xZZuo)
signature_check(False)
signature_check(): load plain json
signature_check() ended with: True, None
Signature.check() ended with: True:None
Message._check() ended with: 200
Message.check() ended with:200
string_sanitize()
Certificate.new_get(jsE4Wy9LrTie)
Certificate._info(jsE4Wy9LrTie)
DBStore.certificate_lookup(name:jsE4Wy9LrTie)
DBStore.certificate_lookup() ended with: {'name': 'jsE4Wy9LrTie', 'csr': <plaintext of ca-bundle.crt file>, 'order__status_id': 5, 'order': 'yHFoWWCGVsDM'}
Certificate.new_get(200) ended
Message.prepare_response()
Nonce.nonce_generate_and_add()
Nonce.nonce__new()
got nonce: bbdb129a1ba542f1a6bbf26b44886f41
DBStore.nonce_add(bbdb129a1ba542f1a6bbf26b44886f41)
Nonce.generate_and_add() ended with:bbdb129a1ba542f1a6bbf26b44886f41
Certificate.new_post() ended with: 200
<win-acme host IP> /acme/cert/jsE4Wy9LrTie {'code': 200, 'data': ' - certificate - ', 'header': {'Content-Type': 'application/pem-certificate-chain', 'Replay-Nonce': '- modified -'}}
[pid: 27|app: 0|req: 1/7] <win-acme host IP> () {36 vars in 551 bytes} [Fri Mar 22 19:10:40 2024] POST /acme/cert/jsE4Wy9LrTie => generated 259321 bytes in 501 msecs (HTTP/1.1 200) 6 headers in 226 bytes (2 switches on core 0)

Thank you!

[grindsa]

Hi,

happy to hear that you overcame the issue. I would always prefer the usage of the wcce_handler with Kerberos activated due to [the announcement from Microsoft to retire NTLM] (https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-evolution-of-windows-authentication/ba-p/3926848).

On my side it works by using the following parameters in acme_srv.cg

handler_file: /var/www/acme2certifier/examples/ca_handler/mswcce_ca_handler.py
host: <WCCE_FQDN>
user: <WCCE_USER>
password: <WCCE_PASSWORD>
template: <WCCE_TEMPLATE>
ca_name: <WCCE_CA_NAME>
target_domain: <ADS_DOMAIN>
domain_controller: <DC_IP>
ca_bundle: <BUNDLE>
use_kerberos: True

I unfortunately cannot help with the winacme issue as my knowledge there is rather limited. But if you drill-down the issue again to a2c let me know. I am happy to help..

/G.

[ggilliom]

Thank you again for the information, seriously so much appreciated!We’ll move forward with WCCE handler; will look into Kerberos over NTLM too.Briefly, could you explain the fields for “target_domain” and “domain_controller?” My understanding is that they’re both related to the “host” field (if not the same value) but I may be mistaken; would they be IPs or specific/entire domain names rather than just an alias? Please let me know — thank you!GarrettOn Mar 24, 2024, at 11:23 AM, grindsa ***@***.***> wrote:Hi, happy to hear that you overcame the issue. I would always prefer the usage of the wcce_handler with Kerberos activated due to [the announcement from Microsoft to retire NTLM] (https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-evolution-of-windows-authentication/ba-p/3926848). On my side it works by using the following parameters in acme_srv.cg handler_file: /var/www/acme2certifier/examples/ca_handler/mswcce_ca_handler.py host: <WCCE_FQDN> user: <WCCE_USER> password: <WCCE_PASSWORD> template: <WCCE_TEMPLATE> ca_name: <WCCE_CA_NAME> target_domain: <ADS_DOMAIN> domain_controller: <DC_IP> ca_bundle: <BUNDLE> use_kerberos: True I unfortunately cannot help with the winacme issue as my knowledge there is rather limited. But if you drill-down the issue again to a2c let me know. I am happy to help.. /G. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>

[ggilliom]

Thank you again for the information, seriously so much appreciated!We’ll move forward with WCCE handler; will look into Kerberos over NTLM too.Briefly, could you explain the fields for “target_domain” and “domain_controller?” My understanding is that they’re both related to the “host” field (if not the same value) but I may be mistaken; would they be IPs or specific/entire domain names rather than just an alias? Please let me know — thank you!GarrettOn Mar 24, 2024, at 11:23 AM, grindsa ***@***.***> wrote:Hi, happy to hear that you overcame the issue. I would always prefer the usage of the wcce_handler with Kerberos activated due to [the announcement from Microsoft to retire NTLM] (https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-evolution-of-windows-authentication/ba-p/3926848). On my side it works by using the following parameters in acme_srv.cg handler_file: /var/www/acme2certifier/examples/ca_handler/mswcce_ca_handler.py host: <WCCE_FQDN> user: <WCCE_USER> password: <WCCE_PASSWORD> template: <WCCE_TEMPLATE> ca_name: <WCCE_CA_NAME> target_domain: <ADS_DOMAIN> domain_controller: <DC_IP> ca_bundle: <BUNDLE> use_kerberos: True I unfortunately cannot help with the winacme issue as my knowledge there is rather limited. But if you drill-down the issue again to a2c let me know. I am happy to help.. /G. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>