Self-hosted, can't get Lets Encrypt working

Oliver Collyer's Avatar

Oliver Collyer

04 Mar, 2020 05:45 PM

I have installed AppVeyor server on a Window 10 machine. I also have Gitea running on this machine. With Gitea I successfully enabled HTTPS using Lets Encrypt, by doing the following:

- setting up the DNS for the domain gitea.mydomain.com to point to my public IP address
- setting up a CAA record for gitea.mydomain.com authorising Lets Encrypt to issue a certificate
- port forwarding 443 on my router to 8443 on the PC running Gitea (which Gitea listens on)

This all works perfectly.

I have now setup AppVeyor, initially with HTTP access, using these steps:

- setting up the DNS for the domain appveyor.mydomain.com to point to my public IP address
- port forwarding 80 on my router to 80 on the PC running AppVeyor.

This works for HTTP access.

I am now trying to get Lets Encrypt working with AppVeyor.

I did the following:

- modified the AppVeyor server settings in the registry to listen on port 8444.
- verified the above by running netstat -anb and locating the tiny for appveyor-server.exe listening on port 8444
- port forwarded 444 on my router to 8444 on the PC running AppVeyor
- set up a CAA recored for appveyor.com authorising Lets Encrypt to issue a certificate

I then enabled HTTPS on the AppVeyor server settings, setting the public URL to https://appveyor.mydomain.com:444 and choosing Lets Encrypt as the option for the certificate. It accepts these settings, but does not work.

Any attempt to load https://appveyor.mydomain.com:444 immediately fails.

In the Windows Event Viewer, I see the following entries at each attempt to reach AppVeyor:

Category: Microsoft.AspNetCore.Server.Kestrel
EventId: 0
ConnectionId: 0HLU0AMTG0K88

Unhandled exception while processing 0HLU0AMTG0K88.

Exception:
System.ComponentModel.Win32Exception (0x8009030D): The credentials supplied to the package were not recognized
   at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED scc)
   at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED secureCredential)
   at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
   at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint, Byte[] clientHello)
   at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
   at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
   at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
--- End of stack trace from previous location where exception was thrown ---
   at System.Net.Security.SslStream.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.SslStream.EndProcessAuthentication(IAsyncResult result)
   at System.Net.Security.SslStream.EndAuthenticateAsServer(IAsyncResult asyncResult)
   at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__69_1(IAsyncResult iar)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
   at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.InnerOnConnectionAsync(ConnectionContext context)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection.ExecuteAsync()

Does anyone know what else I need to do to get Lets Encrypt HTTPs working with AppVeyor?

The fact the above error is triggered shows that all the port forwarding etc is working, but for some reason AppVeyor cannot handle the HTTPs request.

Is there any additional logging available to see the interactions between AppVeyor and Lets Encrypt? I do not know if the certificate was even successfully issued.

  1. Support Staff 1 Posted by Feodor Fitsner on 04 Mar, 2020 05:58 PM

    Feodor Fitsner's Avatar

    When you initiate certificate issuing process you should have http://appveyor.domain.com (HTTP) in Application public URL of General tab of system settings, i.e. the app should be opened in the browser with the exact same HTTP URL. Then you choose Let's encrypt option and click "Update".

    Issued certificate in PFX format is stored in %ProgramData%\AppVeyor\Server directory.

  2. 2 Posted by Oliver Collyer on 04 Mar, 2020 06:14 PM

    Oliver Collyer's Avatar

    Ok, I see the cert - so am I supposed to do something with that PFX file? Is it not supposed to be installed automatically, as happened with Gitea?

  3. Support Staff 3 Posted by Feodor Fitsner on 04 Mar, 2020 06:17 PM

    Feodor Fitsner's Avatar

    It should be installed and used automatically. It's protected with a random password.

    Remove the cert from that folder, switch site back HTTP without cert and then repeat issuing process again.

  4. Support Staff 4 Posted by Feodor Fitsner on 04 Mar, 2020 06:18 PM

    Feodor Fitsner's Avatar

    ...and in the EventLog you should see information messages when the cert is being issued.

  5. 5 Posted by Oliver Collyer on 04 Mar, 2020 06:40 PM

    Oliver Collyer's Avatar

    Ok, maybe my last post was too big as it hasn't shown up - so I cleared the event log, and re-ran the process.

    Attached is the event log. It looks like it acquires the cert ok, but the error still occurs when trying to access the site.

    Attaching the log instead.

  6. Support Staff 6 Posted by Feodor Fitsner on 04 Mar, 2020 06:49 PM

    Feodor Fitsner's Avatar

    The error is cryptic indeed - never seen it before. Googling hints that there might be something related to permissions: here and here.

    What user account AppVeyor Server service is running from? Is that account a member of Administrators group? For the sake of experiment can you try running the service under Local System?

  7. 7 Posted by Oliver Collyer on 04 Mar, 2020 07:08 PM

    Oliver Collyer's Avatar

    It was running as the "appveyor" user which I assume was generated by the installer and is listed as "Administrator - Local User" in Windows 10 settings.

    I changed the service to run as Local User, and this has solved the problem.

    Is there a need for the service to run as a new "appveyor" account? 99% of the services listed on my computer run as either "Local User" or "Local Service" with a few as "Network Service". None have a custom-created user.

  8. Support Staff 8 Posted by Feodor Fitsner on 04 Mar, 2020 10:19 PM

    Feodor Fitsner's Avatar

    It's a good practice to run a service under separate user account, to reduce the scope of permissions the service has, to reduce the surface of attack. However, it's not mandatory. That's great changing service identity fixed the issue for you.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac