Authorization failed when running wacs.exe


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: []

I ran this command:

[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 200.0.6959.25723 (RELEASE)
[INFO] IIS version 7.5
[INFO] Please report issues at

N: Create new certificate
M: Create new certificate with advanced options
L: List scheduled renewals
R: Renew scheduled
S: Renew specific
A: Renew all
C: Cancel scheduled renewal
X: Cancel all scheduled renewals
T: (Re)create scheduled task
I: Import scheduled renewals from WACS/LEWS 1.9.x
Q: Quit

Please choose from the menu: n

[INFO] Running in mode: Interactive, Simple

1: Single binding of an IIS site
2: SAN certificate for all bindings of an IIS site
3: SAN certificate for all bindings of multiple IIS sites
4: Manually input host names
C: Cancel

Which kind of certificate would you like to create?: 1

1: (SiteId 2)
C: Cancel

Choose binding: 1

It produced this output:
[INFO] Target generated using plugin IISBinding:
[INFO] Authorize identifier:
[INFO] Authorizing using http-01 validation (SelfHos
[EROR] Authorization result: invalid
[EROR] Create certificate failed: Authorization failed

My web server is (include version): IIS Server 7.5

The operating system my web server runs on is (include version): Windows Server 2008 R2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes, admin priviliges are provided

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Thanks in advance!


Do they have a support channel?

IIS v7.5 doesn’t support SNI (not sure if this adds to the problem)


Hi @Bancroft

your main configuration is ok ( ):

Domainname Http-Status redirect Sec. G 200 0.077 H 200 1.603 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors 404 0.103 A
Not Found

Port 80 is open, the critical subdirectory /.well-known/acme-challenge is visible.

But (a standard IIS problem): Are files without extension allowed?

Find your webroot, create the two subdirectories /.well-known/acme-challenge, there a text file (file name 1234) without extension.

Then try to load this file via


PS: If this doesn’t work, you need a config file in /.well-known:

            <mimeMap fileExtension="." mimeType="text/plain" />

That allows IIS to server files without extension.



thanks for the quick response!

I created the subdirectories .wellknown and /acme-challenge and created a textfile without extension. I also added extensionless to the mimetypes.
When acessing the file via localhost directly on the server everything works properly. However, when i try to access the file using i get an 404 error.


Did you create these subdirectories in your webroot?



but this may be another path?


Yes, the file is currently present under the path

What i managed to find out is that i currently have to websites:

  1. Default Website

I added the virtual directory C:\inetpub\wwwroot\well-known with Alias .well-known to the default website and suddenly the file is accessible!

Could this be the problem: That the default website gets triggered instead of the


You must use the webroot of fastpassmanager, not the default webroot (if you have two webserver).


That should be .well-known
[with a dash]

And this one is missing the “.”


When creating folders that start with a dot…

In some older Windows systems you may have to also include a dot after the folder name.

mkdir c:\inetpub\.well-known.
mkdir c:\inetpub\.well-known\acme-challenge


This isn’t relevant if he creates a virtual directory with C:\inetpub\wwwroot\well-known\acme-challenge as path.


Yes, exactly. I created a virtual directory with C:\inetpub\wwwroot\well-known\acme-challenge.

The file is accessible now with

Any ideas on how to progress now?


But not via http. Letsencrypt needs the file via http.

So a http / port 80 binding is required.


Redirect all http to https.
LE will follow the redirection and should find the file in that folder