The operating system my web server runs on is (include version): Windows Server 2016
My hosting provider, if applicable, is: Self serviced
I can login to a root shell on my machine (yes or no, or I don’t know): YES
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO
I can access the acme-challenge file from outside the server and firewall.
I see a his in the logfile from letsencrypt
"2017-08-04 10:50:09 213.162.246.137 GET /.well-known/acme-challenge/FS95YFp9n6id2wE_KIEN9KR5hN8b5fjFuGOipT25cXs - 80 - 64.78.149.164 Mozilla/5.0+(compatible;+Let’s+Encrypt+validation+server;++https://www.letsencrypt.org) - 200 0 0 160"
Could you post the full command you used, and the full output from that command? There are a lot more pieces of information in there that the community would need in order to point you in the right direction.
If you need to make changes to your web.config file, update the one
at C:\scripts\LetsEncrypt\LetsEncryptSimple\web_config.xml"
My web server is (include version): MS IIS 10.0
The operating system my web server runs on is (include version): Windows Server 2016 Standard
My hosting provider, if applicable, is: Self serviced
I can login to a root shell on my machine (yes or no, or I don’t know): YES
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO
I can access the acme-challenge file from outside the server and firewall.
I see 2 hits in the IIS logfiles (for each hostname in the san):
2017-08-06 13:18:12 2a01:7c8:fffd:57d::1 GET /.well-known/acme-challenge/NpFGNc8Q2ABvusIEDX4rml9PPfCUMA2qQOHodCaBSXg - 80 - 2600:3000:2710:300::1d Mozilla/5.0+(compatible;+Let’s+Encrypt+validation+server;++https://www.letsencrypt.org) - 200 0 0 151
When I request a SAN certificate for a different domain on the exact same IIS web (and same webroot directory) the certificate is issued and installed without any errors/problems. So it seems that the problem is specificly for this domain.
Can it be so that the domain name is stuck in a rate limit problem? Does letsencrypt use a blacklist? If so, is my domain on it and why? How can I release it again?
Thanks for any help or knowledge that’s provided to me!
TC
I think this is a client bug at least in terms of not correctly reporting the underlying error.
Maybe someone can post an issue at
Also, @cpu, can you confirm the underlying reason from the CA side that these certificates failed to issue? Then maybe we can understand what error condition it is that letsencrypt-win-simple isn’t telling the users about.
Jared, my exact command is only letsencrypt.exe, then I choose my website from the list.
RedFeet, I have moved my static file up. And I am able to browse to the file. No problem. I even see the letsencrypt server accessing the site and my file, and the result from the access is 200 OK, so it seems to be able to read the file.
The reason you aren't able to issue for this domain is because your authoritative namesever is returning SERVFAIL for CAA queries. It looks like your nameservers are being handled by prosmysdomain.no (perhaps?) and you should open a ticket with them. Please refer to our CAA documentation for more information. There is also lots of information in the forum available about CAA and SERVFAILs responses.
Only Comodo and GeoTrust are authorized to issue for this domain. You should regenerate the CAA records using SSLMate's CAA record generator and ensure that Let's Encrypt is also selected.
That means that my conclusion that it was a domainname-related issue, was correct…
I have asked the people that maintain the DNS to add a CAA-record with: 0 issue "letsencrypt.org"
Once that has been done, I hope to see that the cert gets renewed (automatically).
