Certify the Web on Server 2016 with Essentials

I’ve been testing Certify the Web on my Windows Server 2016 computer with the Essentials role. This sets up a Let’s Encrypt certificate for use as the server’s public certificate. Setup was pretty easy thanks to this great article on the Server Essentials site.

Yesterday, two months after setup, the certificate renewed automatically. Awesome! But what is this message in this morning’s Health Report?

Certify the Web 1

I logged on to the server, started the Remote Desktop Gateway Services manager, and was greeted with this message:

Certify the Web 2

I chose NOT to restart yet.

Checking the Certificate Manager for the Local Computer, I see the new Let’s Encrypt certificate, expiring in three months.

Checking IIS > Server Certificates, I see the old and new certificates listed. When I browse to my server in Remote Web Access, the new certificate is being presented. And in fact the Certify the Web log shows these messages after the renewal:

2019-05-12 17:01:53.758 -07:00 [INF] Performing Automated Certificate Binding
2019-05-12 17:01:54.992 -07:00 [INF] Completed certificate request and automated bindings update (IIS)

What seems to have been missed is the post-request script hook that I created to restart the Remote Desktop Gateway service. Oh! I see now that although I customized the script, I did not actually link it under Advanced Options > Scripting in Certify the Web. Here is how to set that up (put the script in a custom path to avoid it being overwritten when Certify the Web is updated):

Certify the Web 3

Update July 12, 2019 Put this the second box, Post-request PS Script! See update below.

All fixed! Wait, not so fast. When I click Test, I get this message:

Certify the Web 4

Looks like that is related to this bug:  https://github.com/webprofusion/certify/issues/442. Certify the Web was trying to Set-ExecutionPolicy Unrestricted and my policy is more restrictive. That was reported on version 4.1.4 and a new version was expected in a week (from 20 February 2019). But I’m running 4.1.5 and still seeing the same issue.

I updated to  the latest version, 4.1.6, and got the same error. Then the original GitHub poster suggested this workaround:

Change %programdata%\Certify\serviceconfig.json. I changed the powershellexecutionpolicy line to
“PowershellExecutionPolicy”: “RemoteSigned”

I had some inconsistent results when I tested that but I’ll leave it like that for now and hope it works.

Update July 12, 2019

My certificate auto-renewed yesterday. Today I again had the RDS gateway certificate errors.

This time when I clicked Test next to the script, it worked fine:

Checking Remote Desktop Gateway Manager, the new certificate was correctly registered. So script worked.

But wait, why is the script in the Pre-request PS Script box? It’s supposed to run after the new certificate is available! Moving it to Post-request PS Script now. Hopefully that fixes it for next time:


Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.

This site uses Akismet to reduce spam. Learn how your comment data is processed.