Authorization result : invalid

sudhirrajgowda · December 1, 2020, 11:03am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
combit-wus1.qa.logistics.bdservices.io
I ran this command:
.\wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"
It produced this output:

[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.1.2.641 (RELEASE, PLUGGABLE)
[INFO] IIS version 10.0
[INFO] Running with administrator credentials
[INFO] Scheduled task looks healthy
[INFO] Please report issues at https://github.com/PKISharp/win-acme
[INFO] Force renewing certificate for [IIS] site 2 (any host)
[INFO] Authorize identifier: combit-wus1.qa.logistics.bdservices.io
[INFO] Authorizing combit-wus1.qa.logistics.bdservices.io using http-01 validation (SelfHosting)
[EROR] {
"type": "urn:ietf:params:acme:error:connection",
"detail": "Fetching http://combit-wus1.qa.logistics.bdservices.io/.well-known/acme-challenge/xXFlZHhfLi4NvACM8q6_P6_kiw2Xvpx1zgactmOLfKQ: Timeout during connect (likely firewall problem)",
"status": 400
}
[EROR] Authorization result: invalid
[EROR] Renewal for [IIS] site 2 (any host) failed, will retry on next run

My web server is (include version):
IIS
The operating system my web server runs on is (include version):
windows 2012
My hosting provider, if applicable, is:
VM
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

win-acme client version 2.1.2

JuergenAuer · December 1, 2020, 12:33pm

Hi @sudhirrajgowda

there

you see your error: A working port 80 is required. Your port 80 doesn't work.

May be not configured or may be a blocking firewall.

Change that.

sudhirrajgowda · December 1, 2020, 12:40pm

How I can check if port is working or not,

ran netsh http show urlacl

result
Reserved URL : http://+:80/Temporary_Listen_Addresses/
User: \Everyone
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;WD)

I have very similar env, where it work fine. Is there any setting on windows it is blocking. IIS is binding to both 80 and 443.

schoen · December 1, 2020, 8:59pm

There could also be a firewall elsewhere on the network that prevents connections to port 80 on your machine. What sort of network environment are you running in? (The question about your "hosting provider" in the questionnaire form was more about which organization provides the network connectivity for your server, rather than what kind of software is used.)

sudhirrajgowda · December 3, 2020, 2:09pm

We are running inside a AKS cluster

schoen · December 7, 2020, 8:53pm

Does your setup forward port 80 on 23.101.202.239, as seen by the outside world, to port 80 of the machine where you're running WACS?

system · January 6, 2021, 8:53pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Authorization result: invalid Help	7	1031	October 7, 2021
Authorization fails Help	3	986	November 7, 2019
Renewal is failing status 400 Help	2	1111	June 10, 2022
Authorization issues Help	14	4535	March 18, 2020
Setting up certificates error - 403 Help	20	973	November 15, 2022

Authorization result : invalid

Related topics