tag:help.appveyor.com,2012-11-13:/discussions/problems/26476-self-hosted-cant-get-lets-encrypt-workingAppVeyor: Discussion 2020-05-05T21:02:50Ztag:help.appveyor.com,2012-11-13:Comment/481364742020-03-04T17:58:29Z2020-03-04T17:58:29ZSelf-hosted, can't get Lets Encrypt working<div><p>When you initiate certificate issuing process you should have <code>http://appveyor.domain.com</code> (HTTP) in <code>Application public URL</code> of General tab of system settings, i.e. the app should be opened in the browser with the exact same HTTP URL. Then you choose Let's encrypt option and click "Update".</p>
<p>Issued certificate in PFX format is stored in <code>%ProgramData%\AppVeyor\Server</code> directory.</p></div>Feodor Fitsnertag:help.appveyor.com,2012-11-13:Comment/481364742020-03-04T18:14:47Z2020-03-04T18:14:48ZSelf-hosted, can't get Lets Encrypt working<div><p>Ok, I see the cert - so am I supposed to do something with that PFX file? Is it not supposed to be installed automatically, as happened with Gitea?</p></div>Oliver Collyertag:help.appveyor.com,2012-11-13:Comment/481364742020-03-04T18:17:03Z2020-03-04T18:17:03ZSelf-hosted, can't get Lets Encrypt working<div><p>It should be installed and used automatically. It's protected with a random password.</p>
<p>Remove the cert from that folder, switch site back HTTP without cert and then repeat issuing process again.</p></div>Feodor Fitsnertag:help.appveyor.com,2012-11-13:Comment/481364742020-03-04T18:18:19Z2020-03-04T18:18:19ZSelf-hosted, can't get Lets Encrypt working<div><p>...and in the EventLog you should see information messages when the cert is being issued.</p></div>Feodor Fitsnertag:help.appveyor.com,2012-11-13:Comment/481364742020-03-04T18:40:03Z2020-03-04T18:40:04ZSelf-hosted, can't get Lets Encrypt working<div><p>Ok, maybe my last post was too big as it hasn't shown up - so I cleared the event log, and re-ran the process.</p>
<p>Attached is the event log. It looks like it acquires the cert ok, but the error still occurs when trying to access the site.</p>
<p>Attaching the log instead.</p></div>Oliver Collyertag:help.appveyor.com,2012-11-13:Comment/481364742020-03-04T18:49:39Z2020-03-04T18:49:39ZSelf-hosted, can't get Lets Encrypt working<div><p>The error is cryptic indeed - never seen it before. Googling hints that there might be something related to permissions: <a href="https://github.com/dotnet/runtime/issues/27222">here</a> and <a href="https://stackoverflow.com/questions/7984945/the-credentials-supplied-to-the-package-were-not-recognized-error-when-authent">here</a>.</p>
<p>What user account AppVeyor Server service is running from? Is that account a member of <code>Administrators</code> group? For the sake of experiment can you try running the service under <code>Local System</code>?</p></div>Feodor Fitsnertag:help.appveyor.com,2012-11-13:Comment/481364742020-03-04T19:08:30Z2020-03-04T19:08:31ZSelf-hosted, can't get Lets Encrypt working<div><p>It was running as the "appveyor" user which I assume was generated by the installer and is listed as "Administrator - Local User" in Windows 10 settings.</p>
<p>I changed the service to run as Local User, and this has solved the problem.</p>
<p>Is there a need for the service to run as a new "appveyor" account? 99% of the services listed on my computer run as either "Local User" or "Local Service" with a few as "Network Service". None have a custom-created user.</p></div>Oliver Collyertag:help.appveyor.com,2012-11-13:Comment/481364742020-03-04T22:19:33Z2020-03-04T22:19:33ZSelf-hosted, can't get Lets Encrypt working<div><p>It's a good practice to run a service under separate user account, to reduce the scope of permissions the service has, to reduce the surface of attack. However, it's not mandatory. That's great changing service identity fixed the issue for you.</p></div>Feodor Fitsner