Authorization result : invalid

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
I ran this command:
.\wacs.exe --renew --baseuri ""
It produced this output:

[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version (RELEASE, PLUGGABLE)
[INFO] IIS version 10.0
[INFO] Running with administrator credentials
[INFO] Scheduled task looks healthy
[INFO] Please report issues at
[INFO] Force renewing certificate for [IIS] site 2 (any host)
[INFO] Authorize identifier:
[INFO] Authorizing using http-01 validation (SelfHosting)
[EROR] {
"type": "urn:ietf:params:acme:error:connection",
"detail": "Fetching Timeout during connect (likely firewall problem)",
"status": 400
[EROR] Authorization result: invalid
[EROR] Renewal for [IIS] site 2 (any host) failed, will retry on next run

My web server is (include version):
The operating system my web server runs on is (include version):
windows 2012
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

win-acme client version 2.1.2

Hi @sudhirrajgowda


you see your error: A working port 80 is required. Your port 80 doesn't work.

May be not configured or may be a blocking firewall.

Change that.

1 Like

How I can check if port is working or not,

ran netsh http show urlacl

Reserved URL : http://+:80/Temporary_Listen_Addresses/
User: \Everyone
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;WD)

I have very similar env, where it work fine. Is there any setting on windows it is blocking. IIS is binding to both 80 and 443.

There could also be a firewall elsewhere on the network that prevents connections to port 80 on your machine. What sort of network environment are you running in? (The question about your "hosting provider" in the questionnaire form was more about which organization provides the network connectivity for your server, rather than what kind of software is used.)

1 Like

We are running inside a AKS cluster

Does your setup forward port 80 on, as seen by the outside world, to port 80 of the machine where you're running WACS?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.