From e4f0be5539e000b6ecd64be61f2bebc026b9933d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 29 Apr 2026 02:35:18 +0000 Subject: [PATCH] docs: fix typos, grammar, and punctuation across all markdown files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Fix its/it's possessive errors (12 occurrences) - Fix duplicate words (to to, under under, used used, each of part) - Fix verb agreement and tense errors - Fix spelling errors (indvidual, uncluding, wwwwroot, VNP, teh) - Fix punctuation (mismatched quotes, double spaces, double periods) - Fix factual error: 'Redirect to HTTP' → 'Redirect to HTTPS' - Fix wrong DB name in data-stores.md PostgreSQL section heading - Remove duplicate line in managedchallenges.md Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: webprofusion-chrisc <2445502+webprofusion-chrisc@users.noreply.github.com> --- README.md | 2 +- blog/2024-12-08-acme-clients.md | 2 +- blog/2025-01-17-acme-profiles.md | 6 +++--- docs/backgroundservice.md | 8 ++++---- docs/certificate-process.md | 4 ++-- docs/commandline.md | 4 ++-- docs/deployment/tasks/apache.md | 2 +- docs/deployment/tasks/exchange.md | 12 ++++++------ docs/deployment/tasks/nginx.md | 2 +- docs/deployment/tasks_intro.md | 10 +++++----- docs/dns/providers/awsroute53.md | 2 +- docs/dns/providers/certifydns.md | 12 ++++++------ docs/features/certificate-advanced.md | 4 ++-- docs/features/data-stores.md | 6 +++--- docs/guides/apache-nginx.md | 2 +- docs/guides/architecture/load-balanced-hosting.md | 4 ++-- docs/guides/auto-update.md | 2 +- docs/guides/best-practices.md | 6 +++--- docs/guides/certificate-authorities.md | 4 ++-- docs/guides/csr.md | 2 +- docs/guides/security.md | 2 +- docs/guides/ssl-windows.md | 2 +- docs/guides/tools.md | 2 +- docs/http-validation.md | 6 +++--- docs/hub/guides/certificate-subscriptions.md | 2 +- docs/hub/guides/day-2-operations.md | 2 +- docs/hub/guides/managedchallenges.md | 1 - docs/hub/known-issues.md | 6 +++--- docs/kb/202109-letsencrypt.md | 6 +++--- docs/kb/202601-letsencrypt.md | 8 ++++---- docs/renewals.md | 4 ++-- docs/script-hooks.md | 6 +++--- 32 files changed, 71 insertions(+), 72 deletions(-) diff --git a/README.md b/README.md index b987dd555..93e078ce5 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ $ npm install $ npm start ``` -This command starts a local development server and open up a browser window. Most changes are reflected live without having to restart the server. +This command starts a local development server and opens up a browser window. Most changes are reflected live without having to restart the server. ### Build diff --git a/blog/2024-12-08-acme-clients.md b/blog/2024-12-08-acme-clients.md index 349cd1481..f7e477a2c 100644 --- a/blog/2024-12-08-acme-clients.md +++ b/blog/2024-12-08-acme-clients.md @@ -99,7 +99,7 @@ Certify The Web is a comprehensive ACME client designed for Windows. It provides #### Cons - Currently limited to Windows environments, but a new web based Certify Management Hub app will be available soon. -- Command line options are more limited that other command line native apps +- Command line options are more limited than other command line native apps ## Conclusion diff --git a/blog/2025-01-17-acme-profiles.md b/blog/2025-01-17-acme-profiles.md index 0a30b10c6..ebcbc1beb 100644 --- a/blog/2025-01-17-acme-profiles.md +++ b/blog/2025-01-17-acme-profiles.md @@ -8,11 +8,11 @@ image: https://certifytheweb.com/images/management/summary.png hide_table_of_contents: false --- -We have implement support for the ACME Profiles extension, a new feature designed to enhance the Automated Certificate Management Environment (ACME) protocol. This extension allows ACME Servers to offer a selection of different certificate profiles to ACME Clients, making it easier for clients to request the specific type of certificate they need. +We have implemented support for the ACME Profiles extension, a new feature designed to enhance the Automated Certificate Management Environment (ACME) protocol. This extension allows ACME Servers to offer a selection of different certificate profiles to ACME Clients, making it easier for clients to request the specific type of certificate they need. -ACME Profiles are a new proposed extension to the ACME standard allows CAs to offer certificates with different features depending on user preferences. +ACME Profiles are a new proposed extension to the ACME standard that allows CAs to offer certificates with different features depending on user preferences. https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/ @@ -38,7 +38,7 @@ ACME Servers that support profiles will include a new `profiles` field in their ### Client Requests When creating a new Order, clients can specify the desired profile in the `profile` field of the Order object. The server will then issue a certificate that matches the selected profile. -In **Certify Certificate Manager** and **Certify Management Hub** this will be available as an option under under *Certificate > Advanced > Certificate Authority*. +In **Certify Certificate Manager** and **Certify Management Hub** this will be available as an option under *Certificate > Advanced > Certificate Authority*. ## Current Implementations Let's Encrypt's Boulder ACME Server software fully implements the ACME Profiles extension. Although profiles are not yet configured in Let's Encrypt's Production and Staging environments, the Pebble ACME Server testbed also supports this extension. diff --git a/docs/backgroundservice.md b/docs/backgroundservice.md index ea6a8b180..d6baa4609 100644 --- a/docs/backgroundservice.md +++ b/docs/backgroundservice.md @@ -5,7 +5,7 @@ title: Background Service In order to perform certificate requests and automatic renewals we install a background service called "Certify.Service" or "Certify.Server.Core" (the full title is either `Certify Certificate Manager Service` or `Certify Management Agent` for v7 onwards). -This service is installed to run as Local System and requires that the Local System account has the necessary privileges to administer IIS (if required) and the computers certificate store, as well as writing to the C:\ProgramData\Certify folder for configuration information. For more information on security and required permissions see [security](guides/security.md) +This service is installed to run as Local System and requires that the Local System account has the necessary privileges to administer IIS (if required) and the computers certificate store, as well as writing to the C:\ProgramData\Certify folder for configuration information. For more information on security and required permissions see [security](guides/security.md). To check the log for this service, review `C:\ProgramData\Certify\logs\service.exceptions.log`. @@ -57,7 +57,7 @@ Invoke-RestMethod -Uri http://localhost:9696/api/system/appversion -UseDefaultCr ### Other Considerations for 'Service Not Started..' -To operate properly the background service needs to be able to register an http listener for it's API server via http.sys, for that to work the IP address the service tries to use must be enabled as an http listen address and in some versions of windows the Http kernel service may not be enabled and you will need to enable it. +To operate properly the background service needs to be able to register an http listener for its API server via http.sys, for that to work the IP address the service tries to use must be enabled as an http listen address and in some versions of windows the Http kernel service may not be enabled and you will need to enable it. #### Enable http listener IP address @@ -121,7 +121,7 @@ SERVICE_NAME: http ``` -If the state is not `RUNNING` use the following command the enable the service on demand: +If the state is not `RUNNING` use the following command to enable the service on demand: ```bat sc config http start= demand @@ -139,7 +139,7 @@ Once completed, restart the Certify background service from local services, then ## Managed Items Database -The data store for the managed certificates database is the C:\ProgramData\Certify\manageditems.db SQLite database. This stores your renewal configuration data (not certificates). This is an sqlite3 format database files. +The data store for the managed certificates database is the C:\ProgramData\Certify\manageditems.db SQLite database. This stores your renewal configuration data (not certificates). This is an sqlite3 format database file. You should include C:\ProgramData\Certify\ in your normal backup procedures, otherwise if you lose this configuration or it is corrupted you may need to add all of your managed certificates again. **To guard against database corruption you should add an exclusion to your anti-virus software to avoid sharing conflicts.** diff --git a/docs/certificate-process.md b/docs/certificate-process.md index 13d84c302..7df61ffd4 100644 --- a/docs/certificate-process.md +++ b/docs/certificate-process.md @@ -9,7 +9,7 @@ Use this guide when you are creating a new managed certificate and want to under When you install Certify you will be prompted to register with the [Certificate Authority](guides/certificate-authorities.md) who will validate your domains and issue your [certificates](guides/certificates.md) (e.g. Let's Encrypt). You should provide a real email address, otherwise they can't contact you if there is a problem with your certificate. :::tip Quick Start -If you are requesting a certificate for an IIS website with existing http/https domain hostname bindings it's possible to just install the app on the web server, click **New Certificate**, selected your IIS Website and confirm your domains, then click **Request Certificate** to automatically validate your domain(s), fetch the certificate and auto-apply it. You can then access your website via https. Your certificate will automatically renew using the same process. +If you are requesting a certificate for an IIS website with existing http/https domain hostname bindings it's possible to just install the app on the web server, click **New Certificate**, select your IIS Website and confirm your domains, then click **Request Certificate** to automatically validate your domain(s), fetch the certificate and auto-apply it. You can then access your website via https. Your certificate will automatically renew using the same process. ::: ## What is an ACME client? @@ -63,7 +63,7 @@ Note that for FTP site bindings you need to select "Single Site" instead. ##### Deployment Tasks and Advanced Usage In addition to the Auto Deployment options, you can also make use of a variety of pre-built [Deployment Tasks](deployment/tasks_intro.md) for local or remote deployment. You can also use scripting tasks to work with your certificate using your own custom scripting. -Deployment Tasks can be used used for common certificate tasks such as deploying to Microsoft Exchange, updating a certificate in a secrets vault (such as Azure Key Vault), deploying to a [CCS share](deployment/tasks/ccs.md) or converting the certificate into different file types. +Deployment Tasks can be used for common certificate tasks such as deploying to Microsoft Exchange, updating a certificate in a secrets vault (such as Azure Key Vault), deploying to a [CCS share](deployment/tasks/ccs.md) or converting the certificate into different file types. ### 4. Preview Using the *Preview* tab you can see a detailed summary of how your Managed Certificate is configured and what actions the app will plan to take next, including how the new certificate will be deployed. diff --git a/docs/commandline.md b/docs/commandline.md index 933f4beb7..53aca87f4 100644 --- a/docs/commandline.md +++ b/docs/commandline.md @@ -3,7 +3,7 @@ id: commandline title: Command Line (CLI) --- -A set of command line are available using the tool _certify.exe_ which is found in the installation directory. The commands must be performed using an elevated administrators account. +A set of command line tools are available using the tool _certify.exe_ which is found in the installation directory. The commands must be performed using an elevated administrators account. :::tip Most users do not need to use the command line options at all. By default all certificate renewals are taken care of automatically by the Certify background service. @@ -47,7 +47,7 @@ You can use the `acmeaccount add` command to add/create a new ACME account regis - `certify deploy "" ""` : perform a specific deployment task for the given managed certificate. See the Manual trigger mode for deployment tasks. -### Adding or Remove Managed Certificates +### Adding or Removing Managed Certificates - `certify importcsv` : import managed certificates from a CSV file. See [CSV Import](csv-import.md) for more details diff --git a/docs/deployment/tasks/apache.md b/docs/deployment/tasks/apache.md index b8c9a762b..ea248224d 100644 --- a/docs/deployment/tasks/apache.md +++ b/docs/deployment/tasks/apache.md @@ -47,7 +47,7 @@ For older versions of Apache you may need to specify the **CA Chain** file separ - Point *SSLCertificateFile* at your **Leaf Certificate** file. ### Restarting Apache -For your changes to take effect you will need to restart Apache. You can do this by adding a *Stop, Start or Restart a Service" task after your *Deploy to Apache* task. +For your changes to take effect you will need to restart Apache. You can do this by adding a "Stop, Start or Restart a Service" task after your *Deploy to Apache* task. ### CA Preferred Chain Some CAs offer alternative certificate chains for compatibility. Let's Encrypt offers both a *DST Root CA X3* chain (expired) and a newer *ISRG Root X1* chain. v6.x onwards of the app defaults to the newer chain for LE. If you need to use the older chain (e.g. for old Android compatibility) you can do so by setting the *Preferred Chain* option under *Certificate > Advanced > Certificate Authority - Preferred Chain* to *DST Root CA X3* and re-requesting your certificate. \ No newline at end of file diff --git a/docs/deployment/tasks/exchange.md b/docs/deployment/tasks/exchange.md index 099d1e30a..73553bc9b 100644 --- a/docs/deployment/tasks/exchange.md +++ b/docs/deployment/tasks/exchange.md @@ -39,7 +39,7 @@ In the app, running on the same server where Exchange is installed: Other topics to consider include selecting between different Certificate Authorities, Private Key types and PFX password protection. These options are all configured under *Advanced*. -## Deploying Your Certificate to Exchanges Services +## Deploying Your Certificate to Exchange Services Once you have your certificate you can automate deploying it to your Exchange services. :::info @@ -61,13 +61,13 @@ For complex or customised deployments you may wish to use a [custom deployment s It's possible to continue to apply the certificate manually using the standard Exchange Admin Center features, however this is not recommended because certificates typically renew frequently (e.g. within 90 days) and you would need to remember to repeat the process each time. You should instead use automation to ensure your certificates are always up to date. ## Renewal Failures -Certificate can fail to renew for a number of reasons, including: +Certificates can fail to renew for a number of reasons, including: - Changes to your infrastructure (e.g. firewall changes, DNS changes) - Temporary issues with your CA **The app will recover from temporary issues automatically**, however if you have made changes to your infrastructure you may need to update your managed certificate settings to reflect the new configuration. You can force a certificate renewal attempt by selecting *Request Certificate*. -By default, **if your certificate renewal fails repeatedly, you will receive an email notification**. This email is trigger by the default status reporting to our API, which in turn sends an email via SendGrid if multiple failures have been detected. The email address used is the one you specified when you first setup your CA account in the application (under Settings > Certificate Authorities). You can also check the *Certify Certificate Manager* app or the https://certifytheweb.com dashboard (if enabled) for the status of your managed certificates. +By default, **if your certificate renewal fails repeatedly, you will receive an email notification**. This email is triggered by the default status reporting to our API, which in turn sends an email via SendGrid if multiple failures have been detected. The email address used is the one you specified when you first setup your CA account in the application (under Settings > Certificate Authorities). You can also check the *Certify Certificate Manager* app or the https://certifytheweb.com dashboard (if enabled) for the status of your managed certificates. If you don't understand why a renewal has suddenly failed it's best not to start changing settings if you are unsure, instead please [contact us for support](../../support.md) if you are a licensed user, or post a question on our [community forum](https://community.certifytheweb.com), ideally including your managed certificate log file, at the least we need your real domain name(s) in order to diagnose common renewal failures. @@ -77,13 +77,13 @@ Typical troubleshoot steps include checking your firewall (if using http validat Things to consider when administering certificates for exchange and IIS: ### Things to avoid -- Never delete a certificate from the certificate store while it is still in use by a service, this will break the service and you will need to re-assign a new certificate to the service. *Certify Certificate Manager* will maintain it's own certificates in the store and by default will remove them when they are definitely no longer required. +- Never delete a certificate from the certificate store while it is still in use by a service, this will break the service and you will need to re-assign a new certificate to the service. *Certify Certificate Manager* will maintain its own certificates in the store and by default will remove them when they are definitely no longer required. - Never revoke a certificate unless the private key has been compromised. Revoking a certificate will break any services using that certificate and is almost never required. ### Only use valid fully qualified domain names (or valid wildcard names) Certificates need to be issued for valid fully qualified names or wildcards. A certificate can cover multiple hostnames or subdomains and can also be wildcards that cover all subdomains of a domain e.g. `*.contoso.com` would cover `mail.contoso.com` and `autodiscover.contoso.com` but not `mail.contoso.com.au` or `mail.contoso.local`. -If your exchange services and connections are configured to use local or intranet names like `localhost` or `mail.contoso.local` then the service will not have a valid TLS connection to the server and will not be able to use the certificate, this is because the name is not included in the certificate your are trying to use. You will need to ensure that all services and connections use valid hostnames which match your certificate(s). +If your exchange services and connections are configured to use local or intranet names like `localhost` or `mail.contoso.local` then the service will not have a valid TLS connection to the server and will not be able to use the certificate, this is because the name is not included in the certificate you are trying to use. You will need to ensure that all services and connections use valid hostnames which match your certificate(s). ### IP Address Bindings vs SNI Hostname Bindings If you manually create an https "binding" (the configuration of an IP address or hostname + socket + certificate) then you should enable SNI (Server Name Indication), set a hostname and avoid using specific IP addresses, instead use `All Unassigned` or `*` in IIS etc. This maps to the catch-all address `0.0.0.0` and matches the binding to all network interfaces. @@ -97,7 +97,7 @@ Some other clients to consider for very specific tasks include [Posh-ACME (Power ## Other resources -Details of the general processes begin importing and installing a certificate for Exchange can be found here: +Details of the general processes for importing and installing a certificate for Exchange can be found here: https://learn.microsoft.com/en-us/exchange/architecture/client-access/import-certificates?view=exchserver-2019 diff --git a/docs/deployment/tasks/nginx.md b/docs/deployment/tasks/nginx.md index bee94d66f..56e72b6b6 100644 --- a/docs/deployment/tasks/nginx.md +++ b/docs/deployment/tasks/nginx.md @@ -32,7 +32,7 @@ In a typical nginx config you would only need to specify the **Full Chain** and - Point *ssl_certificate* at your **Full Chain** file ### Restarting nginx -For your changes to take effect you will need to restart Nginx. You can do this by adding a *Stop, Start or Restart a Service" task after your *Deploy to nginx* task. +For your changes to take effect you will need to restart Nginx. You can do this by adding a "Stop, Start or Restart a Service" task after your *Deploy to nginx* task. ### CA Preferred Chain Some CAs offer alternative certificate chains for compatibility. Let's Encrypt offers both a *DST Root CA X3* chain (expired) and a newer *ISRG Root X1* chain. *Certify Certificate Manager* v6.x onwards defaults to the newer chain. If you need to use the older chain (e.g. for old Android compatibility) you can do so by setting the *Preferred Chain* option under *Certificate > Advanced > Certificate Authority - Preferred Chain* to *DST Root CA X3* and re-requesting your certificate. \ No newline at end of file diff --git a/docs/deployment/tasks_intro.md b/docs/deployment/tasks_intro.md index 5a03350aa..03e404dda 100644 --- a/docs/deployment/tasks_intro.md +++ b/docs/deployment/tasks_intro.md @@ -4,7 +4,7 @@ title: Deployment Tasks --- **Deployment Tasks are a powerful new feature introduced in *Certify Certificate Manager* v5.x and above.** -Once you have a certificate issued by a certificate authority you can go ahead and use that certificate for it's intended purpose. This is generally anything that might require a valid verified domain (such as a webserver, mail server, ftp service, remote access etc). +Once you have a certificate issued by a certificate authority you can go ahead and use that certificate for its intended purpose. This is generally anything that might require a valid verified domain (such as a webserver, mail server, ftp service, remote access etc). ![Startup UI](/assets/screens/DeploymentTasks.png) @@ -14,7 +14,7 @@ If you need to perform more custom steps using the certificate, or if you just w ## Pre-Request Tasks -You may wish to run a custom task before you renew your certificate. For instance, you may wish to to make automated firewall changes or call a custom Web Hook/API. These are called 'Pre-Request Tasks'. +You may wish to run a custom task before you renew your certificate. For instance, you may wish to make automated firewall changes or call a custom Web Hook/API. These are called 'Pre-Request Tasks'. ## Deployment Tasks @@ -33,7 +33,7 @@ Built-in deployment task types, each with UI to configure the task parameters et | Name | Description | |---|---| -| Deploy Certificate to ADFS | Applies the certificate a local Active Directory Federation Services installation | +| Deploy Certificate to ADFS | Applies the certificate to a local Active Directory Federation Services installation | | [Deploy to Apache](./tasks/apache.md) | Export the certificate components in PEM file format for use with the Apache webserver. | | [Deploy to Apache Tomcat](./tasks/tomcat.md) | Export the certificate as a pkcs12 key store for use with Apache Tomcat application server. | | [Deploy to Azure App Service](./tasks/azure-app-service.md) | Note that setting a PFX password (Certificate> Advanced > Signing & Security) is required for this deployment. | @@ -43,11 +43,11 @@ Built-in deployment task types, each with UI to configure the task parameters et | [Deploy to Microsoft Exchange](./tasks/exchange.md)| Export the certificate to a local MS Exchange services and apply it to an optional list of services (IMAP, SMTP, IIS, POP etc). | | Deploy to Hashicorp Vault| Export the certificate to your Vault instance, with optional namespaces. | | [Deploy to nginx](./tasks/nginx.md) | Export the certificate components in PEM file format for use with the nginx webserver. | -| Deploy to RAS (Direct Access, VNP, SSTP VPN etc)| Provides a basic deployment for RAS. You may require your own script for more sophisticated deployments. | +| Deploy to RAS (Direct Access, VPN, SSTP VPN etc)| Provides a basic deployment for RAS. You may require your own script for more sophisticated deployments. | | Deploy to RDP Gateway Service| Provides a basic deployment for a local RDP Gateway. You may require your own script for more sophisticated deployments. | | Deploy to RDP Listener Service| Provides a basic deployment for a local RDP Listener (Terminal Services). | | Run a Script | Execute an environment specific script (such as as a windows batch file or a linux bash script). | -| Stop, Start or Restart a Service | Select a local service to restart. Usually used in conjunction with another deployment task to cause the new certificate to new applied. | +| Stop, Start or Restart a Service | Select a local service to restart. Usually used in conjunction with another deployment task to cause the new certificate to be applied. | | Set Certificate Key Permissions | Although not usually required, some services may need read permission granted for the certificate private key. This task adds read permission for the nominated account. | | Update Port Binding | Provides a standard way to perform netsh IP:port bindings without custom scripting. | diff --git a/docs/dns/providers/awsroute53.md b/docs/dns/providers/awsroute53.md index 063e77ff3..8e9eca6a8 100644 --- a/docs/dns/providers/awsroute53.md +++ b/docs/dns/providers/awsroute53.md @@ -11,7 +11,7 @@ To use the AWS Route53 DNS API, you need to setup your API key and authenticatio - Add a new user (e.g. 'certifydnsadmin') - Enable Programmatic access, - - Create a user Group if you don't already has a group. + - Create a user Group if you don't already have a group. - You can either allow all permissions: - Allow AmazonRoute53FullAccess for the group. - Or restrict permission to the following actions: diff --git a/docs/dns/providers/certifydns.md b/docs/dns/providers/certifydns.md index 0d97542f5..06761b618 100644 --- a/docs/dns/providers/certifydns.md +++ b/docs/dns/providers/certifydns.md @@ -6,7 +6,7 @@ description: Use Certify DNS for delegated DNS challenge handling when direct DN # Get Started with Certify DNS -*Certify DNS* is an optional service used to answer DNS challenges when your domains normal DNS provider isn't supported for automation. It can be used with any *acme-dns* compatible ACME client. **The service requires a separately purchased *Certify DNS* license and is not bundled with *Certify Certificate Manager***. +*Certify DNS* is an optional service used to answer DNS challenges when your domain's normal DNS provider isn't supported for automation. It can be used with any *acme-dns* compatible ACME client. **The service requires a separately purchased *Certify DNS* license and is not bundled with *Certify Certificate Manager***. ## Best Fit @@ -23,11 +23,11 @@ description: Use Certify DNS for delegated DNS challenge handling when direct DN 5. Re-run the request so the certificate authority can follow the delegated challenge. - The service is a cloud hosted version of the [acme-dns](https://github.com/joohoi/acme-dns) protocol and uses CNAME delegation of acme challenge TXT records to a dedicated challenge response service. -- You can purchase a *Certify DNS* license**, via the https://certifytheweb.com License Keys tab (when signed in). It is not included in other product licenses from us you may already have, e.g. other products like *Certify Certificate Manager* **do not** include a license for *Certify DNS*. +- You can purchase a *Certify DNS* license via the https://certifytheweb.com License Keys tab (when signed in). It is not included in other product licenses from us you may already have, e.g. other products like *Certify Certificate Manager* **do not** include a license for *Certify DNS*. - *Certify DNS* is not required in order to use the Certify Certificate Manager app, it's only required if you specifically want to use DNS challenges and can't use standard DNS automation. - The service is compatible with most other existing _acme-dns_ clients so it can be used with other ACME clients on all operating systems. -**With *Certify DNS*, you create a special CNAME record in your domain DNS (for each domain or subdomain you want to include on a certificate), instead of a TXT record. The CNAME records points to the Certify DNS cloud service and handles ACME challenge responses for your domain.** +**With *Certify DNS*, you create a special CNAME record in your domain DNS (for each domain or subdomain you want to include on a certificate), instead of a TXT record. The CNAME record points to the Certify DNS cloud service and handles ACME challenge responses for your domain.** ## Using *Certify DNS* in Certify Certificate Manager @@ -42,13 +42,13 @@ description: Use Certify DNS for delegated DNS challenge handling when direct DN ## Using *Certify DNS* with other acme-dns compatible clients -- Once activated on your https://certifytheweb.com account as special URL will be shown under the License Keys tab. This passes your license key info as basic credentials to the *Certify DNS* service. +- Once activated on your https://certifytheweb.com account a special URL will be shown under the License Keys tab. This passes your license key info as basic credentials to the *Certify DNS* service. - Follow the normal instructions for your acme-dns client, using the provided URL as the base URL for the acme-dns service. ### Example: Certbot with acme-dns-auth.py (linux) - Install Certbot and download acme-dns-auth.py (https://github.com/joohoi/acme-dns-certbot-joohoi) -- Update acme-dns-auth.py to set `ACMEDNS_URL = "https://@certify-dns.certifytheweb.com"`. Your url with credentials if found on your certifytheweb.com License Keys tab when *Certify DNS* is enabled. +- Update acme-dns-auth.py to set `ACMEDNS_URL = "https://@certify-dns.certifytheweb.com"`. Your url with credentials is found on your certifytheweb.com License Keys tab when *Certify DNS* is enabled. - Run certbot with the required auth hook, e.g.: `sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d www.example.com` - On first run you will be prompted to create a specific CNAME in your domains DNS after registration completes. @@ -62,7 +62,7 @@ Cloudflare users: If you have Universal SSL configured for your domain in Cloudf A common source of confusion is the difference between your *Certify DNS* license key and your *Certify Certificate Manager* license key. Each one is unique and specific to the product type. ## Sharing CNAME registrations across multiple machines -If you need to have multiple machines fetch certificates for the same domain (such as a wildcard cert) you will find that your CNAME record needs to be the same *Certify DNS* pointer, which in turn means you need to share the Certify DNS registration config across each machine. To do this, copy the respective config file from C:\ProgramData\certify\certifydns\ (or acme-dns on managed certificates configured using older versions) on one machine all of to the other machines (into C:\ProgramData\certify\certifydns\). Thereafter their renewals will all use the same *Certify DNS* registration for that domain. +If you need to have multiple machines fetch certificates for the same domain (such as a wildcard cert) you will find that your CNAME record needs to be the same *Certify DNS* pointer, which in turn means you need to share the Certify DNS registration config across each machine. To do this, copy the respective config file from C:\ProgramData\certify\certifydns\ (or acme-dns on managed certificates configured using older versions) on one machine all to the other machines (into C:\ProgramData\certify\certifydns\). Thereafter their renewals will all use the same *Certify DNS* registration for that domain. ## Migrating from acme-dns to *Certify DNS* or vice-versa To switch from acme-dns to *Certify DNS*, first delete the respective domain config from C:\ProgramData\certify\acmedns and switch the DNS provider to *Certify DNS*. Perform a normal renewal - the first renewal will prompt for a CNAME record to be updated pointing to the service. You can also check the log for this managed certificate and find the new CNAME value you need to populate. Thereafter you can then renew normally. diff --git a/docs/features/certificate-advanced.md b/docs/features/certificate-advanced.md index 2f933e40c..538bf7c13 100644 --- a/docs/features/certificate-advanced.md +++ b/docs/features/certificate-advanced.md @@ -23,12 +23,12 @@ This section covers options related to the Private Key and Certificate Signing R See [Certificate Signing Request](../guides/csr.md) for more information on CSR related options. ### Security (PFX Password) -By default the app produce PFX file with a blank password. While this makes them more convenient to use in some situations, it is not secure if the file will be distributed to other locations etc. The password will be applied when your certificate is next request/renewed. You can centrally manage the password (such as updating the same password for many certificates) under *Settings > Stored Credentials*. +By default the app produces a PFX file with a blank password. While this makes them more convenient to use in some situations, it is not secure if the file will be distributed to other locations etc. The password will be applied when your certificate is next request/renewed. You can centrally manage the password (such as updating the same password for many certificates) under *Settings > Stored Credentials*. ## General Options #### Comments -Add an optional comment for your own use to describe this managed certificate or it's purpose. +Add an optional comment for your own use to describe this managed certificate or its purpose. #### Enable Auto Renewal Include this managed certificate in standard auto renewal (enabled by default). diff --git a/docs/features/data-stores.md b/docs/features/data-stores.md index 4e234c8e4..7e996c24f 100644 --- a/docs/features/data-stores.md +++ b/docs/features/data-stores.md @@ -22,11 +22,11 @@ If you decide to use a database other than SQLite you will need to install the d In all cases you need to setup the initial database schema, users and permissions. You will also need to maintain the necessary database schema updates as new versions of the app are released. -In all cases is you choose to use alternative data store we cannot provide support for any aspects of the database server installation or configuration or troubleshooting. You should only adopt database servers you are comfortable with and have the necessary skills to maintain. +In all cases if you choose to use alternative data store we cannot provide support for any aspects of the database server installation or configuration or troubleshooting. You should only adopt database servers you are comfortable with and have the necessary skills to maintain. High latency or potentially unreliable connections such as remotely hosted cloud databases are not recommended or supported. -Each instance of the app needs it's own database and a single database cannot be shared by multiple instances. +Each instance of the app needs its own database and a single database cannot be shared by multiple instances. ### Microsoft SQL Server Read more about how to use SQL Server as a data store: [SQL Server Data Store Getting Started](https://github.com/webprofusion/certify-plugins/tree/development/src/DataStores/SQLServer) @@ -37,7 +37,7 @@ A typical connection string to an SQL Server database might look like the follow Note that SQL Express is not recommended if the database instance is used by other processes such as another web application as artificial query governor constraints can cause connection or query errors. ### PostgreSQL -Read more about how to use SQL Server as a data store: [PostgreSQL Data Store Getting Started](https://github.com/webprofusion/certify-plugins/tree/development/src/DataStores/Postgres) +Read more about how to use PostgreSQL as a data store: [PostgreSQL Data Store Getting Started](https://github.com/webprofusion/certify-plugins/tree/development/src/DataStores/Postgres) A typical connection string to a PostgreSQL database might look like this: `Server=127.0.0.1;Port=5432;Database=certify;User Id=certify_app;Password=certify_app_pwd;` diff --git a/docs/guides/apache-nginx.md b/docs/guides/apache-nginx.md index 2b2a7c249..ed9f6c09e 100644 --- a/docs/guides/apache-nginx.md +++ b/docs/guides/apache-nginx.md @@ -31,7 +31,7 @@ For other similar web server types that require PEM output certificate files, us The above tasks also support deployment over SSH if your service is remote to the machine being used to acquire the certificates. -You normally would set the fullchain.pem path and privkey.pem path *under Task Parameters), then save and select▶️Play next to the task to try it out. This should give you the output file you need in the location you want. You then just need to point your apache config at the right files. You can refine this task configuration and test the task without re-requesting a whole new certificate. +You normally would set the fullchain.pem path and privkey.pem path (under Task Parameters), then save and select▶️Play next to the task to try it out. This should give you the output file you need in the location you want. You then just need to point your apache config at the right files. You can refine this task configuration and test the task without re-requesting a whole new certificate. You would normally also need a *Stop/Start/Restart* service task (for the service running your web server). diff --git a/docs/guides/architecture/load-balanced-hosting.md b/docs/guides/architecture/load-balanced-hosting.md index b5a10baf1..9ac41d179 100644 --- a/docs/guides/architecture/load-balanced-hosting.md +++ b/docs/guides/architecture/load-balanced-hosting.md @@ -7,7 +7,7 @@ title: Load Balanced Hosting If you are load balancing across a set of web servers (e.g. a Web Farm) your certificate options include: -- have each server manage it's own certificates +- have each server manage its own certificates - centrally renewing certificates, then copying the certificates to each server - terminating TLS on a web application firewall or reverse proxy. @@ -22,7 +22,7 @@ If you can only use http validation you will require a web application firewall ## Testing -You should try out your intended deployment strategy on a set of test machines to you can learn how each of part is configured and practice sharing a certificate between multiple machines/sites. +You should try out your intended deployment strategy on a set of test machines to you can learn how each part is configured and practice sharing a certificate between multiple machines/sites. ## Windows (IIS) Deployment Strategies ### Centralized Certificate Store (CCS) diff --git a/docs/guides/auto-update.md b/docs/guides/auto-update.md index 4e2efa974..e881eaa3a 100644 --- a/docs/guides/auto-update.md +++ b/docs/guides/auto-update.md @@ -11,7 +11,7 @@ Alternative methods include performing app updates using windows management tool *Certify Certificate Manager* bundles a PowerShell script you can schedule using Windows Task Scheduler called `C:\Program Files\CertifyTheWeb\Scripts\AutoUpdate\AutoUpdate.ps1`. This script will attempt to download and install the latest stable version of the application, if a newer version is available. -You can scheduled this task to run (as an Administrator or user in the Administrators group) using: +You can schedule this task to run (as an Administrator or user in the Administrators group) using: - Windows Task Scheduler > Create Basic Task.. - Name: `Certify The Web - Auto Update`, Next.. diff --git a/docs/guides/best-practices.md b/docs/guides/best-practices.md index 00b8e0839..01915045e 100644 --- a/docs/guides/best-practices.md +++ b/docs/guides/best-practices.md @@ -4,7 +4,7 @@ title: Best Practices --- # Best Practices -Once you have setup your certificate and your website is accessible over https you could stop there and users will be able to access your website using a secure TLS (Transport Layer Security) connection (also known as it's old name, SSL). +Once you have set up your certificate and your website is accessible over https you could stop there and users will be able to access your website using a secure TLS (Transport Layer Security) connection (also known as its old name, SSL). However, if you scan your website with a tool such as https://www.ssllabs.com/ssltest/ it will likely point out a number of areas you could improve upon, many of which are quite cryptic. These include areas such as *HTTP Strict Transport Security* (HSTS), *Protocols* and *Cipher Suites*. @@ -13,7 +13,7 @@ Even if you have a great automated score for security, your choice of operating ## Redirecting all visitors to HTTPS A user could try to access your site by just typing the domain or perhaps they will even type the full domain with `https://` - whether the site loads as `http://` or `https://` will depend on the web browser or the link the user followed, so in some cases users will see a site as "insecure". To avoid this, you can automatically direct the users browser to the HTTPS version of your site. -### Redirect to HTTP using IIS +### Redirect to HTTPS using IIS If you are using IIS on Windows, there are a few way to redirect users from http to https. The most common method uses the *URL Rewrite* module https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/using-the-url-rewrite-module which is an extension to IIS which uses a web.config directive to rewrite http requests. @@ -88,7 +88,7 @@ Whether you are using a custom built website or a content management system (Wor ## Protocols and Cipher Suites ### TLS Protocols -A *protocol* (such as TLS 1.2 or TLS 1.3) is a standard for the secured communication used during https requests to your server. Your server supports various protocols which may or may not be enabled and these will vary depending on your version of Windows, they will also vary depending on whether a request is being made to your server, or whether you server is making an outgoing request to something else. +A *protocol* (such as TLS 1.2 or TLS 1.3) is a standard for the secured communication used during https requests to your server. Your server supports various protocols which may or may not be enabled and these will vary depending on your version of Windows, they will also vary depending on whether a request is being made to your server, or whether your server is making an outgoing request to something else. Older protocols such as TLS 1.0 and TLS 1.1 are commonly disabled in modern configurations due to various security issues found in older versions, you may however still need to support them for old software accessing your site (this is up to you). diff --git a/docs/guides/certificate-authorities.md b/docs/guides/certificate-authorities.md index a59020c55..b08e33ae6 100644 --- a/docs/guides/certificate-authorities.md +++ b/docs/guides/certificate-authorities.md @@ -29,7 +29,7 @@ They offer a free, automated, and open certificate authority brought to you by t - Trusted by all major operating systems and browsers - Certificates issued by Let's Encrypt expire after 90 days, which means you need automated renewals to keep them active. - Important rate limits apply: https://letsencrypt.org/docs/rate-limits/ -- Certificates can contain up to 100 domain per certificates. Wildcard certificates (*.domain.com) are supported when using DNS validation. +- Certificates can contain up to 100 domains per certificate. Wildcard certificates (*.domain.com) are supported when using DNS validation. - See information on the [Sept 2021 root expiry](../kb/202109-letsencrypt.md) - You can check the Let's Encrypt service status at [https://letsencrypt.status.io/](https://letsencrypt.status.io/) @@ -38,7 +38,7 @@ ZeroSSL (https://zerossl.com/) is an ACME service operated by HID Global. - Trusted by all major operating systems and browsers - Certificates expire after 90 days. -- Certificates can contain up to 100 domain per certificates. Wildcard certificates (*.domain.com) are supported when using DNS validation. +- Certificates can contain up to 100 domains per certificate. Wildcard certificates (*.domain.com) are supported when using DNS validation. - To use ZeroSSL you first need to sign up for a free account in order to get External Account Binding (EAB) credentials from the *Developer* section of their dashboard. This EAB credential can only be used once and subsequent account registrations (on other servers etc) require a new EAB to be generated. - You can check the ZeroSSL service status at [https://status.zerossl.com/](https://status.zerossl.com/) diff --git a/docs/guides/csr.md b/docs/guides/csr.md index 0b40fd535..0698aa20e 100644 --- a/docs/guides/csr.md +++ b/docs/guides/csr.md @@ -13,7 +13,7 @@ In the case of ACME domain validated certificates this CSR mainly just includes To enable OCSP-Must staple check *Require OCSP Must-Staple* under Certificate > Advanced > Signing & Security. This will add the OCSP Must Staple extension to the CSR and the resulting certificate. ## CSR Signing Key Algorithm (Private Key) -The app defaults to RSA 2048 for CSR signing keys (the certificate Private Key). This default was briefly changed in 6.x to ECDSA 256 but many older versions of Windows Server were found to be incompatible with the key type as a default. You can set your preference globally under *Settings* or per-managed certificate under *Certificate > Advanced > Signing & Security > CSR Signing Algorithm*. +The app defaults to RSA 2048 for CSR signing keys (the certificate Private Key). This default was briefly changed in 6.x to ECDSA 256 but many older versions of Windows Server were found to be incompatible with the key type as a default. You can set your preference globally under *Settings* or per-managed certificate under *Certificate > Advanced > Signing & Security > CSR Signing Algorithm*. ## Re-use a Private Key In most cases you will want to use a new private key for each certificate request, but in some cases you may want to re-use an existing private key. For example, if you have a private key that is already in use by another system, or you have a private key that you want to use for multiple certificates. If you check *Use the same Private Key for Renewals* the app will generate a key on next renewal and re-use that for subsequent renewals of the same certificate. diff --git a/docs/guides/security.md b/docs/guides/security.md index 379949806..84bd8c996 100644 --- a/docs/guides/security.md +++ b/docs/guides/security.md @@ -10,7 +10,7 @@ The *Certify Certificate Manager* app is configured by default to be fully usabl If you have found a specific security vulnerability you believe we need to be aware of, please notify `support at certifytheweb.com` via email. We do not currently operate a bug bounty program. Software bugs etc can also be reported in public at https://github.com/webprofusion/certify/issues ## Updates -To ensure the best possible outcome always ensure that your operating system and the app components are fully up to date with vendor/os updates. Operating an internet facing server (web, email, ftp etc) without applying the latest security patches means your system will likely only continue to function due to luck (i.e. not yet being targeted by an attacker). This is doubly important if there is a network path from your internet facing server back to your corporate network. [Auto Updating](auto-update.md) is possible but comes with it's own security risks and caveats. +To ensure the best possible outcome always ensure that your operating system and the app components are fully up to date with vendor/os updates. Operating an internet facing server (web, email, ftp etc) without applying the latest security patches means your system will likely only continue to function due to luck (i.e. not yet being targeted by an attacker). This is doubly important if there is a network path from your internet facing server back to your corporate network. [Auto Updating](auto-update.md) is possible but comes with its own security risks and caveats. ## Service Account By default the application background service (Certify.Service) runs as Local System. This account has an *extremely* high level of privileges on the system (but not on the network). As an alternative it's possible to configure the service to run under a more restricted user account and just grant it the permissions it actually needs to run. If you do this you are required to ensure that the account has the permission you require and to re-apply this service account after updates are installed for the app (the installer will not currently preserve this account choice). You are also required to sync account credentials changes in order for the service to continue normal operation. diff --git a/docs/guides/ssl-windows.md b/docs/guides/ssl-windows.md index bcbfd8a5b..611e0f82b 100644 --- a/docs/guides/ssl-windows.md +++ b/docs/guides/ssl-windows.md @@ -3,7 +3,7 @@ id: ssl-windows title: Using Certificates in Windows --- -Using SSL/TLS certificates in Windows has a few aspects that can prevent your site working properly if don't know about them. This guide outlines some key points. **See the special mention below for limitations regarding Windows Server 2008 R2 (IIS 7.5) and lower.** +Using SSL/TLS certificates in Windows has a few aspects that can prevent your site working properly if you don't know about them. This guide outlines some key points. **See the special mention below for limitations regarding Windows Server 2008 R2 (IIS 7.5) and lower.** If you are new to managing certificates or want to know more, you can read more about [Certificates](certificates.md) themselves. diff --git a/docs/guides/tools.md b/docs/guides/tools.md index 81abb0048..3ce37f4a2 100644 --- a/docs/guides/tools.md +++ b/docs/guides/tools.md @@ -15,5 +15,5 @@ The following tools can be useful for ACME related debugging, configuration and - **[Unbound Test](https://unboundtest.com):** Debug DNS or DNS challenge issues. - **[Unbound Test Log Viewer](https://unbounded.tools.certifytheweb.com/):** Debug DNS or DNS challenge issues. - **[CNAME Lookup](https://www.whatsmydns.net/):** Check DNS propagation and CNAME records globally. -- **[Base 64 Encode/Decode](https://base64.tools.certifytheweb.com/):** Check base 64 encoded payloads (uncluding base64 url encoded items) +- **[Base 64 Encode/Decode](https://base64.tools.certifytheweb.com/):** Check base 64 encoded payloads (including base64 url encoded items) - **[IIS Crypto](https://www.nartac.com/Products/IISCrypto):** Used to review and configure Windows TLS Cipher Suites diff --git a/docs/http-validation.md b/docs/http-validation.md index 2c6e0c9ef..fe4f43ac6 100644 --- a/docs/http-validation.md +++ b/docs/http-validation.md @@ -18,7 +18,7 @@ To request a certificate from Let's Encrypt (or any Certificate Authority), you ## How to use HTTP Validation (on Windows) When the Certificate Authority performs domain validation over http (known as an `http-01` challenge) they ask for a randomly named text file to be presented in the `/.well-known/acme-challenge` path of your website. So they should be able to retrieve it at `http:///.well-known/acme-challenge/` -**Your server must be able to respond on TCP port 80 in order to perform any HTTP validation. If your firewall blocks port 80 (or blocks requests from other countries etc), unblock it to proceed. You don't need IIS http bindings as by default the app will use it's own http challenge response server.** +**Your server must be able to respond on TCP port 80 in order to perform any HTTP validation. If your firewall blocks port 80 (or blocks requests from other countries etc), unblock it to proceed. You don't need IIS http bindings as by default the app will use its own http challenge response server.** If this step succeeds, you're all set to automatically complete HTTP validation of your domain. Once completed, the Certificate Authority marks your domain (associated with your account) as 'valid' and we can then proceed with requesting the final certificate. @@ -44,7 +44,7 @@ the https://api.certifytheweb.com server if it can access the resource instead ( ## Common Issues ### Timeout during http validation -Your firewall is blocking port 80. Open port TCP 80 in Windows Firewall and on any cloud hosting firewall rules you have. Validation will occurs from multiple geographic locations, so if you need geographic blocking only block specific countries, or if you have an application-aware firewall allow all incoming http requests to `/.well-known/acme-challenge` +Your firewall is blocking port 80. Open port TCP 80 in Windows Firewall and on any cloud hosting firewall rules you have. Validation will occur from multiple geographic locations, so if you need geographic blocking only block specific countries, or if you have an application-aware firewall allow all incoming http requests to `/.well-known/acme-challenge` ### HTTP domain validations suddenly failing If you find you are unexpectedly getting HTTP domain validation failures (particularly "Secondary validation") the most common cause is a Firewall blocking TCP port 80 (http) or you are blocking a range of IP or Geographic locations. To allow only your CAs HTTP validation requests through we recommend using a Web Application Firewall set to allow all http requests to any path starting with `/.well-known/acme-challenge/`. Alternatively block specific countries instead of blocking all countries, as your CA (the default being Let's Encrypt) may choose to validate from any geographic region. @@ -54,7 +54,7 @@ The most common problem is that auto configuration has failed to determine the b 1 - Check the challenge folder exists -Check that configcheck file has been created at: `wwwwroot\inetpub\*yourwebsite*\.well-known\acme-challenge` +Check that configcheck file has been created at: `wwwroot\inetpub\*yourwebsite*\.well-known\acme-challenge` If not, check your folder permissions allow this folder/files to be created. If necessary, check the website root path is correctly mapped. diff --git a/docs/hub/guides/certificate-subscriptions.md b/docs/hub/guides/certificate-subscriptions.md index c2d421ffc..59d1bf1a6 100644 --- a/docs/hub/guides/certificate-subscriptions.md +++ b/docs/hub/guides/certificate-subscriptions.md @@ -62,7 +62,7 @@ Without that permission, the instance cannot fetch source certificates from the The source system owns renewal. The consuming instance owns local use of the retrieved certificate, including deployment paths, tasks, and permissions. -Currently you should not apply a PFX password on teh source certificate as the consumer will not be able to decrypt that. +Currently you should not apply a PFX password on the source certificate as the consumer will not be able to decrypt that. ## Common Issues diff --git a/docs/hub/guides/day-2-operations.md b/docs/hub/guides/day-2-operations.md index 68b13a414..3dee137bf 100644 --- a/docs/hub/guides/day-2-operations.md +++ b/docs/hub/guides/day-2-operations.md @@ -7,7 +7,7 @@ description: Operate Certify Management Hub after installation, including monito ## Routine Checks -Use **Certificates > Summary** to see the overall health of your managed certificates. To review indvidual items, select a managed certificate, review the status tab and select the View Log option to see recent log entries. +Use **Certificates > Summary** to see the overall health of your managed certificates. To review individual items, select a managed certificate, review the status tab and select the View Log option to see recent log entries. ## Upgrades diff --git a/docs/hub/guides/managedchallenges.md b/docs/hub/guides/managedchallenges.md index 38ab75516..ac56e7fd3 100644 --- a/docs/hub/guides/managedchallenges.md +++ b/docs/hub/guides/managedchallenges.md @@ -26,7 +26,6 @@ Managed challenges need two things: ## Managed Challenge Definition -Under *Services > Managed Challenges*, select `+ Add`: Under *Services > Managed Challenges*, select `+ Add`: - Select dns-01 as the challenge type - Select the DNS provider specific to your domains DNS service. diff --git a/docs/hub/known-issues.md b/docs/hub/known-issues.md index 7de6b7bb9..610bb6861 100644 --- a/docs/hub/known-issues.md +++ b/docs/hub/known-issues.md @@ -17,15 +17,15 @@ Instances of *Certify Certificate Manager* and *Certify Management Agent* servic #### Errors when trying to login The UI needs to know the URL of the API it should talk to. This is configured by default to `https://localhost:44361` or `http://localhost:8080` when running from docker. The setting is changed for all users by editing wwwroot/appsettings.json or you can temporarily change the URL in the login page by clicking the Settings gear icon and setting the correct URL for your installation. -If the problem occurs with a new docker container, follow the above and set the url to the require host and port e.g. `http://localhost:8080` +If the problem occurs with a new docker container, follow the above and set the url to the required host and port e.g. `http://localhost:8080` #### Data caching in the UI Normally, when the system changes managed certificate or updates it status the change should be streamed back to the UI via SignalR. This streaming functionality is still a work in progress and most items now update automatically. -Pages that show data that might change will generally update themselves periodically (summary page, instances, charts etc) or in some cases when the underlying data changes and a message from the hub is streamed back the the UI. In some cases you may need to reload the app from the app root URL to see the latest information while the app is still under development. +Pages that show data that might change will generally update themselves periodically (summary page, instances, charts etc) or in some cases when the underlying data changes and a message from the hub is streamed back to the UI. In some cases you may need to reload the app from the app root URL to see the latest information while the app is still under development. #### Loading time over slow connections -The web app uses WebAssembly (WASM) and has a large application payload on initial load. Subsequent loads used cached resources. +The web app uses WebAssembly (WASM) and has a large application payload on initial load. Subsequent loads use cached resources. ### Containers #### Data not persisted using containers diff --git a/docs/kb/202109-letsencrypt.md b/docs/kb/202109-letsencrypt.md index 6c35ba844..d59e3a95d 100644 --- a/docs/kb/202109-letsencrypt.md +++ b/docs/kb/202109-letsencrypt.md @@ -10,7 +10,7 @@ Certificate trust mainly relies on the "root" issuing certificate (and intermedi The root certificate issues an Intermediate certificate which in turn is used to issue general certificates such as the ones for your website. This is called a "Chain" of trust. Your certificate (called a Leaf or end-entity certificate) will be validated by following this chain. -*From Sept 30th 2021 Let's Encrypts previous root certificate *DST Root CA X3* (and it's R3 intermediate) will expire. It has been replaced by their *ISRG Root X1* certificate (and replacement R3 intermediate).* +*From Sept 30th 2021 Let's Encrypts previous root certificate *DST Root CA X3* (and its R3 intermediate) will expire. It has been replaced by their *ISRG Root X1* certificate (and replacement R3 intermediate).* :::note @@ -30,7 +30,7 @@ The version of the *R3* intermediate signing certificate which chains to *DST Ro The *DST Root CA X3* root certificate expired **September 30 14:01:15 2021 GMT**. -- In some cases, the expiry of the root (and its related expiring R3 intermediate certificate) may causes certificates to be considered untrusted or invalid. To fix this you need to make your server use (serve) the correct chain. +- In some cases, the expiry of the root (and its related expiring R3 intermediate certificate) may cause certificates to be considered untrusted or invalid. To fix this you need to make your server use (serve) the correct chain. - In other cases, the issue may be with the client computer. - Some app renewals will fail with *too many certificates (5) already issued for this exact set of domains in the last 168 hours*. See solution below. - If you have clients complaining about some android devices not working with their websites, you may need to migrate to a different Certificate Authority (see below). @@ -106,7 +106,7 @@ If no other solution works or for any other reason you cannot update client trus ::: ## Non-IIS servers (Apache, nginx etc on Windows or Linux) -Verify that your service is configured to use your certificate, with it's private key *and* it's **chain**. These services will work without pointing to a chain file but in the case of the expired R3 your clients will try to resolve the R3 themselves (because you haven't given it to them) and they may then resolve it to the old (expired) one. +Verify that your service is configured to use your certificate, with its private key *and* it's **chain**. These services will work without pointing to a chain file but in the case of the expired R3 your clients will try to resolve the R3 themselves (because you haven't given it to them) and they may then resolve it to the old (expired) one. We have seen reports of issues with old iOS versions when using IIS as a front end reverse proxied to node (for NextJS etc). This is an unrelated issue to do with http headers: https://stackoverflow.com/questions/71037910/safari-10-fails-to-load-https-with-node-js-iisnode-spams-requests diff --git a/docs/kb/202601-letsencrypt.md b/docs/kb/202601-letsencrypt.md index 5b57a9edd..c8e8eb6fd 100644 --- a/docs/kb/202601-letsencrypt.md +++ b/docs/kb/202601-letsencrypt.md @@ -12,7 +12,7 @@ Certificate trust mainly relies on the "root" issuing certificate (and intermedi This is called a "Chain" of trust. Your certificate (called a Leaf or end-entity certificate) will be validated by following this chain or using OS/app-specific chain building logic. -The [new YE/YR hierarchy](https://letsencrypt.org/certificates/) also includes a "cross-sign" to the already trusted ISRG Root X1/X2 roots. For most windows clients (browsers, .Net, PowerShell etc) this means the client will determine a trusted chain on it's own, even if it doesn't yet trust Root YR/Root YE. +The [new YE/YR hierarchy](https://letsencrypt.org/certificates/) also includes a "cross-sign" to the already trusted ISRG Root X1/X2 roots. For most windows clients (browsers, .Net, PowerShell etc) this means the client will determine a trusted chain on its own, even if it doesn't yet trust Root YR/Root YE. ## The Problem @@ -20,7 +20,7 @@ If your server trusts the new Root YR and Root YR certificates for Let's Encrypt If your server trusts the new roots YE/YR *before your connected clients do* your server may present a chain that your clients don't yet trust. This may affect clients such as browsers, mobile devices, apps, tools etc. -On Windows, the default TLS implementation schannel determines the most trusted path for a given certificate chain, regardless of what the initially intended/preferred chain should be. It then use this chain in the TLS conversation when presenting a TLS-enabled service to a client such as a browser. +On Windows, the default TLS implementation schannel determines the most trusted path for a given certificate chain, regardless of what the initially intended/preferred chain should be. It then uses this chain in the TLS conversation when presenting a TLS-enabled service to a client such as a browser. ### Example Errors for affected clients Curl: `curl: (60) SSL certificate problem: unable to get local issuer certificate` @@ -32,7 +32,7 @@ Curl: `curl: (60) SSL certificate problem: unable to get local issuer certificat ::: ### Issue from the older chain -Before May 2026 you can option to use the "classic" (default) ACME profile with the Let's Encrypt service and have your certificate issued form the older chain. This would normally be the most obvious fix unless that issuance has been retired. +Before May 2026 you can opt to use the "classic" (default) ACME profile with the Let's Encrypt service and have your certificate issued from the older chain. This would normally be the most obvious fix unless that issuance has been retired. ### Update clients to trust the new self-signed roots @@ -54,7 +54,7 @@ For older macOS not updated by Apple: - Find the certificate in System and double click on it, open the Trust menu and change "Use System Defaults" to "Always Trust", then close that and enter your password to confirm the change (if prompted). ## Java based systems etc -Some applications maintain their own trust store. . Any system that can't be updated needs to see the cross-signed chain or you need to switch CA. +Some applications maintain their own trust store. Any system that can't be updated needs to see the cross-signed chain or you need to switch CA. e.g. for Java you might use: `keytool -import -alias isrgrootx1 -keystore $JAVA_HOME/jre/lib/security/cacerts -trustcacerts -file rootye.cer` diff --git a/docs/renewals.md b/docs/renewals.md index cfe24f66b..90d858383 100644 --- a/docs/renewals.md +++ b/docs/renewals.md @@ -12,7 +12,7 @@ All certificates have an expiry date, after which they cannot be used to secure The renewal frequency defaults to 75% of the certificate lifetime. This is configurable under Settings in the app. -The app includes a Certify background service which performs all the main function for managed certificates, so you don't need to leave the UI open for renewals etc to run. +The app includes a Certify background service which performs all the main functions for managed certificates, so you don't need to leave the UI open for renewals etc to run. ## Monitoring Certificate Renewals @@ -29,7 +29,7 @@ If you manage a significant number of certificates across multiple machines we r ## App Updates Are Important -If the app offers an update you should check the release notes to see if they sounds relevant to you and if in doubt you should update the app anyway. Certificate Authorities regularly change how their services work, and not updating the app can result in future renewal failures. We only support the latest version of the app at all times. +If the app offers an update you should check the release notes to see if they sound relevant to you and if in doubt you should update the app anyway. Certificate Authorities regularly change how their services work, and not updating the app can result in future renewal failures. We only support the latest version of the app at all times. ## Certificate Cleanup diff --git a/docs/script-hooks.md b/docs/script-hooks.md index 74f93c6c6..da849660d 100644 --- a/docs/script-hooks.md +++ b/docs/script-hooks.md @@ -16,7 +16,7 @@ A common use for scripting is to use your new certificate for services other tha *By default the background service runs as Local System, so your scripts will execute in that context*, this can be important for issues regarding permissions, file system encryption etc. You can optionally configure your task to run as a specific user if network access or special permissions are required. :::warning -Do not store scripts under the C:\Program Files\CertifyTheWeb\\ path. File stored there will be deleted next time you update the app. +Do not store scripts under the C:\Program Files\CertifyTheWeb\\ path. Files stored there will be deleted next time you update the app. ::: All scripts should be refined and tested in a staging environment before use in production. @@ -215,7 +215,7 @@ if ($oldthumb -ne $newthumb) { This is adapted from a community example: https://community.certifytheweb.com/t/sql-server-reporting-services-ssrs/332/7 -This script gets the report server config object the checks if an existing cert is bound it removes that, then creates the new binding. +This script gets the report server config object then checks if an existing cert is bound it removes that, then creates the new binding. ```PowerShell param($result) @@ -366,7 +366,7 @@ The Powershell deployment task can run in two modes on Windows: In-Process and a For in-process the service will attempt to run your task as the user you specify in an impersonation context with a specific Windows *LogonType*: https://learn.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types - this affects things like reuse of credentials across network resources and the relevance varies greatly depending on what your script does and which other processes it calls into. -In all case you will need to test to determine the best option for your specific script. It is not always possible to get a script to work under impersonation and in those cases you may need to write out the relevant certificate variables like the thumbprint or file path then perform operations separately using your own filewatcher process or a scheduled task elsewhere. +In all cases you will need to test to determine the best option for your specific script. It is not always possible to get a script to work under impersonation and in those cases you may need to write out the relevant certificate variables like the thumbprint or file path then perform operations separately using your own filewatcher process or a scheduled task elsewhere. Note that the *Launch New Process* option currently does not support impersonation and we aim to address this with new task runner functionality in the future.