Hello, I am getting a 403 error when attempting to renew the certificate. There is no traffic seen being blocked by the WAF. The cert has renewed 7 times successfully in the past. I am not sure if the challenge file is being properly created on the server.
My domain is: grantinvoice.lacity.org, www.grantinvoice.lacity.org
I ran this command:
wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/" --verbose
It produced this output:
2021-04-29 15:46:32.505 -07:00 [INF] No command line arguments provided
2021-04-29 15:46:32.590 -07:00 [INF] Software version 2.1.5.742 (RELEASE, PLUGGABLE) started
2021-04-29 15:46:32.591 -07:00 [INF] ACME server "https://acme-v02.api.letsencrypt.org/"
2021-04-29 15:46:33.055 -07:00 [INF] IIS version 8.5
2021-04-29 15:46:33.059 -07:00 [INF] Running with administrator credentials
2021-04-29 15:46:33.705 -07:00 [INF] Scheduled task looks healthy
2021-04-29 15:46:33.705 -07:00 [INF] Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)
2021-04-29 15:49:48.782 -07:00 [INF] Arguments: --renew --baseuri https://acme-v02.api.letsencrypt.org/ --verbose
2021-04-29 15:49:48.808 -07:00 [DBG] Renewal period: 55 days
2021-04-29 15:49:48.817 -07:00 [INF] Software version 2.1.5.742 (RELEASE, PLUGGABLE) started
2021-04-29 15:49:48.818 -07:00 [INF] ACME server "https://acme-v02.api.letsencrypt.org/"
2021-04-29 15:49:48.828 -07:00 [VRB] SecurityProtocol setting: "SystemDefault"
2021-04-29 15:49:49.096 -07:00 [DBG] Connection OK!
2021-04-29 15:49:49.099 -07:00 [INF] IIS version 8.5
2021-04-29 15:49:49.103 -07:00 [INF] Running with administrator credentials
2021-04-29 15:49:49.143 -07:00 [INF] Scheduled task looks healthy
2021-04-29 15:49:49.143 -07:00 [INF] Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)
2021-04-29 15:49:49.145 -07:00 [VRB] Test for international support: 語言 язык لغة
2021-04-29 15:49:49.148 -07:00 [VRB] Checking renewals
2021-04-29 15:49:49.257 -07:00 [VRB] Sending e-mails false
2021-04-29 15:49:49.274 -07:00 [DBG] Scanning IIS site bindings for hosts
2021-04-29 15:49:49.410 -07:00 [VRB] 4 named bindings found in IIS
2021-04-29 15:49:49.413 -07:00 [DBG] Filtering by site(s) [2]
2021-04-29 15:49:49.414 -07:00 [VRB] 2 bindings remaining after site filter
2021-04-29 15:49:49.415 -07:00 [VRB] No host filter applied
2021-04-29 15:49:49.415 -07:00 [VRB] 2 matching bindings found
2021-04-29 15:49:49.416 -07:00 [DBG] Scanning IIS sites
2021-04-29 15:49:49.430 -07:00 [VRB] Adding 8.8.8.8 as DNS server
2021-04-29 15:49:49.431 -07:00 [VRB] Adding 1.1.1.1 as DNS server
2021-04-29 15:49:49.432 -07:00 [VRB] Adding 8.8.4.4 as DNS server
2021-04-29 15:49:49.435 -07:00 [VRB] Checking www.grantinvoice.lacity.org
2021-04-29 15:49:49.436 -07:00 [INF] Renewing certificate for www.grantinvoice.lacity.org
2021-04-29 15:49:49.437 -07:00 [VRB] Creating certificate order for hosts: ["grantinvoice.lacity.org","www.grantinvoice.lacity.org"]
2021-04-29 15:49:49.444 -07:00 [VRB] Loading ACME account signer...
2021-04-29 15:49:49.445 -07:00 [DBG] Loading signer from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Signer_v2
2021-04-29 15:49:49.502 -07:00 [VRB] Constructing ACME protocol client...
2021-04-29 15:49:49.507 -07:00 [DBG] Send GET request to "https://acme-v02.api.letsencrypt.org/directory"
2021-04-29 15:49:49.594 -07:00 [VRB] Request completed with status "OK"
2021-04-29 15:49:49.609 -07:00 [DBG] Send HEAD request to "https://acme-v02.api.letsencrypt.org/acme/new-nonce"
2021-04-29 15:49:49.658 -07:00 [VRB] Request completed with status "OK"
2021-04-29 15:49:49.662 -07:00 [DBG] Loading account information from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Registration_v2
2021-04-29 15:49:49.720 -07:00 [DBG] Send POST request to "https://acme-v02.api.letsencrypt.org/acme/new-order"
2021-04-29 15:49:49.771 -07:00 [VRB] Request completed with status "Created"
2021-04-29 15:49:49.780 -07:00 [VRB] Order https://acme-v02.api.letsencrypt.org/acme/order/81111204/9378961674 created
2021-04-29 15:49:49.782 -07:00 [VRB] Handle authorization 1/3
2021-04-29 15:49:49.785 -07:00 [DBG] Send POST request to "https://acme-v02.api.letsencrypt.org/acme/authz-v3/12719289880"
2021-04-29 15:49:49.807 -07:00 [VRB] Request completed with status "OK"
2021-04-29 15:49:49.815 -07:00 [INF] Authorize identifier: www.grantinvoice.lacity.org
2021-04-29 15:49:49.817 -07:00 [VRB] Challenge types available: ["http-01","dns-01","tls-alpn-01"]
2021-04-29 15:49:49.820 -07:00 [INF] Authorizing www.grantinvoice.lacity.org using http-01 validation (SelfHosting)
2021-04-29 15:49:49.833 -07:00 [DBG] Submitting challenge answer
2021-04-29 15:49:49.837 -07:00 [DBG] Send POST request to "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12719289880/k3ZEKA"
2021-04-29 15:49:49.881 -07:00 [VRB] Request completed with status "OK"
2021-04-29 15:49:54.895 -07:00 [DBG] Refreshing authorization (1/5)
2021-04-29 15:49:54.898 -07:00 [DBG] Send POST request to "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12719289880/k3ZEKA"
2021-04-29 15:49:54.938 -07:00 [VRB] Request completed with status "OK"
2021-04-29 15:49:54.948 -07:00 [ERR] {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from https://www.grantinvoice.lacity.org/.well-known/acme-challenge/tCRFC8G5QeJFwC0gdbzzOJX0ceUmOqYpN3eXeqliTp4 [2600:1405:a000::17c9:db52]: "\r\n<html xmlns=\"http"",
"status": 403
}
2021-04-29 15:49:54.948 -07:00 [ERR] Authorization result: invalid
2021-04-29 15:49:54.950 -07:00 [VRB] Starting post-validation cleanup
2021-04-29 15:49:54.953 -07:00 [VRB] Post-validation cleanup was succesful
2021-04-29 15:49:55.056 -07:00 [ERR] Renewal for www.grantinvoice.lacity.org failed, will retry on next run
2021-04-29 15:49:55.188 -07:00 [DBG] Scanning IIS site bindings for hosts
2021-04-29 15:49:55.189 -07:00 [VRB] 4 named bindings found in IIS
2021-04-29 15:49:55.190 -07:00 [DBG] Filtering by site(s) [2]
2021-04-29 15:49:55.191 -07:00 [VRB] 2 bindings remaining after site filter
2021-04-29 15:49:55.191 -07:00 [VRB] No host filter applied
2021-04-29 15:49:55.192 -07:00 [VRB] 2 matching bindings found
2021-04-29 15:49:55.193 -07:00 [DBG] Scanning IIS sites
2021-04-29 15:49:55.195 -07:00 [VRB] Checking [IIS] grantinvoice, (any host)
2021-04-29 15:49:55.195 -07:00 [INF] Renewing certificate for [IIS] grantinvoice, (any host)
2021-04-29 15:49:55.197 -07:00 [VRB] Creating certificate order for hosts: ["grantinvoice.lacity.org","www.grantinvoice.lacity.org"]
2021-04-29 15:49:55.198 -07:00 [DBG] Send POST request to "https://acme-v02.api.letsencrypt.org/acme/new-order"
2021-04-29 15:49:55.240 -07:00 [VRB] Request completed with status "Created"
2021-04-29 15:49:55.242 -07:00 [VRB] Order https://acme-v02.api.letsencrypt.org/acme/order/81111204/9378962636 created
2021-04-29 15:49:55.243 -07:00 [VRB] Handle authorization 1/3
2021-04-29 15:49:55.244 -07:00 [DBG] Send POST request to "https://acme-v02.api.letsencrypt.org/acme/authz-v3/12724262433"
2021-04-29 15:49:55.294 -07:00 [VRB] Request completed with status "OK"
2021-04-29 15:49:55.295 -07:00 [INF] Authorize identifier: grantinvoice.lacity.org
2021-04-29 15:49:55.297 -07:00 [VRB] Challenge types available: ["http-01","dns-01","tls-alpn-01"]
2021-04-29 15:49:55.299 -07:00 [INF] Authorizing grantinvoice.lacity.org using http-01 validation (SelfHosting)
2021-04-29 15:49:55.302 -07:00 [DBG] Submitting challenge answer
2021-04-29 15:49:55.304 -07:00 [DBG] Send POST request to "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12724262433/tXPhNA"
2021-04-29 15:49:55.367 -07:00 [VRB] Request completed with status "OK"
2021-04-29 15:50:00.379 -07:00 [DBG] Refreshing authorization (1/5)
2021-04-29 15:50:00.382 -07:00 [DBG] Send POST request to "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12724262433/tXPhNA"
2021-04-29 15:50:00.472 -07:00 [VRB] Request completed with status "OK"
2021-04-29 15:50:00.477 -07:00 [ERR] {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from https://grantinvoice.lacity.org/.well-known/acme-challenge/jwNRkMr9vv-cCidNEfgF5zQrVoOTPPbLsUBOOP4k9h8 [2600:1405:a000::17c9:db52]: "\r\n<html xmlns=\"http"",
"status": 403
}
2021-04-29 15:50:00.479 -07:00 [ERR] Authorization result: invalid
2021-04-29 15:50:00.480 -07:00 [VRB] Starting post-validation cleanup
2021-04-29 15:50:00.481 -07:00 [VRB] Post-validation cleanup was succesful
2021-04-29 15:50:00.488 -07:00 [ERR] Renewal for [IIS] grantinvoice, (any host) failed, will retry on next run
2021-04-29 15:50:00.516 -07:00 [VRB] Exiting with status code 0
My web server is (include version): IIS 8.5
The operating system my web server runs on is (include version): Windows Server 2012
I can login to a root shell on my machine (yes or no, or I don't know):yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
A simple Windows ACMEv2 client (WACS)
Software version 2.1.5.742