trying to renew certificates, every time acme-v02.api.letsencrypt.org resets the connection right after connecting.
This happens only with one IP address, everything else works fine.
Here is output from wacs.exe --verbose:
[DBUG] Send GET to https://acme-v02.api.letsencrypt.org/
[EROR] Failed to create order
System.Net.Http.HttpRequestException: An error occurred while sending the request.
---> System.Net.Http.WinHttpException (80072EFF, 12030): Error 12030 calling WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, 'The connection with the server was terminated abnormally'.
at System.Net.Http.WinHttpHandler.StartRequestAsync(WinHttpRequestState state)
--- End of inner exception stack trace ---
at PKISharp.WACS.Services.ProxyService.LoggingHttpClientHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
at ACMESharp.Protocol.AcmeProtocolClient.SendAcmeAsync(Uri uri, HttpMethod method, Object message, HttpStatusCode expectedStatuses, Boolean skipNonce, Boolean skipSigning, Boolean includePublicKey, CancellationToken cancel, String opName)
at ACMESharp.Protocol.AcmeProtocolClient.SendAcmeAsync[T](Uri uri, HttpMethod method, Object message, HttpStatusCode expectedStatuses, Boolean skipNonce, Boolean skipSigning, Boolean includePublicKey, CancellationToken cancel, String opName)
at ACMESharp.Protocol.AcmeProtocolClient.GetDirectoryAsync(String relativeUri, CancellationToken cancel)
at PKISharp.WACS.Clients.Acme.AcmeClient.<>c__DisplayClass25_0.<b__1>d.MoveNext()
--- End of stack trace from previous location ---
at PKISharp.WACS.Clients.Acme.AcmeClient.Backoff[T](Func1 executor, Int32 attempt) at PKISharp.WACS.Clients.Acme.AcmeClient.EnsureServiceDirectory(AcmeProtocolClient client) at PKISharp.WACS.Clients.Acme.AcmeClient.ConfigureAcmeClient() at PKISharp.WACS.Clients.Acme.AcmeClient.GetClient() at PKISharp.WACS.Clients.Acme.AcmeClient.CreateOrder(IEnumerable1 identifiers)
at PKISharp.WACS.Clients.Acme.OrderManager.CreateOrder(String cacheKey, Target target)
Check your server is configured to support TLS 1.2, in particular old versions like Server 2012 may not be configured to use TLS 1.2 by default.
{ Running Nartac Software - IIS Crypto in Best Practices mode is a good start but it's limited on Server 2012 due to some Cipher suites not being available.]
In that case, no, that's Server 2019 2016 or higher. So it's unlikely to be a problem with TLS 1.2 not being enabled.
@mirko1 do you have outgoing https (tcp port 443) blocked on Windows Firewall or have you changed the firewall rules recently? I assume you don't have a proxy configured for outgoing internet. Can you open https://acme-v02.api.letsencrypt.org/directory on the server desktop browser?
I don't have any blocking rules for outgoing traffic on Windows Firewall, only for incoming.
I can't open https://acme-v02.api.letsencrypt.org/directory in browser - after initial TCP handshake, I get RST message from the server. Same for all ports, 80, 443, ... actually any port I tried behaves the same way.
There's no proxy, but the server is behind firewall/NAT router, which is beyond my reach. I checked with the person who maintains the router (I did this first), and he claims there were no recent changes in configuration.
Ok, if your browser cannot connect thing it's not win-acme that's the problem, you'll need to check connectivity to https://acme-v02.api.letsencrypt.org/directory from other machines to narrow it down. Your firewall administrator will need to confirm whether the outgoing request is matching any of their rules or if it's failing outside your network.