Authorization Timeout target principal name is incorrect

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: forms.wellbridge.com, electronicformsrepository.wellbridge.com

I ran this command: wacs.exe

It produced this output:

1: [IISSites] All - renewed 10 times, due after 2020/9/10 9:00:24, 60 error(s) like 'Authorization failed'
2: [IISSite] Electronic Forms Repository - renewed 8 times, due after 2020/12/27 12:15:45
: Back

Which renewal would you like to run?: 2

[WARN] First chance error calling into ACME server, retrying with new nonce...
[INFO] Authorize identifier: electronicformsrepository.wellbridge.com
[INFO] Cached authorization result: valid
[WARN] Using cached certificate for [IISSite] Electronic Forms Repository. To force issue of a new certificate within 24 hours, delete the .pfx file from the CertificatePath or run with the --force switch. Be ware that you might run into rate limits doing so.
[INFO] Store with CertificateStore...
[WARN] Certificate with thumbprint DDAF13D8A7617A7FBFBB98BE4DA7CEEF428C8BE5 is already in the store
[INFO] Installing with IIS...
[INFO] Committing 2 https binding changes to IIS
[INFO] Next renewal scheduled at 2020/12/28 12:02:37
[INFO] Renewal for [IISSite] Electronic Forms Repository succeeded

Then I try the 'All'

1: [IISSites] All - renewed 10 times, due after 2020/9/10 9:00:24, 60 error(s) like 'Authorization failed'
2: [IISSite] Electronic Forms Repository - renewed 9 times, due after 2020/12/28 12:02:37
: Back

Which renewal would you like to run?: 1

[WARN] First chance error calling into ACME server, retrying with new nonce...
[INFO] Authorize identifier: electronicformsrepository.wellbridge.com
[INFO] Cached authorization result: valid
[INFO] Authorize identifier: forms.wellbridge.com
[INFO] Cached authorization result: valid
[INFO] Authorize identifier: test.poswebservice.wellbridge.com
[INFO] Authorizing test.poswebservice.wellbridge.com using http-01 validation (SelfHosting)
[EROR] Authorization timed out
[EROR] Renewal for [IISSites] All failed, will retry on next run

Then I tried to Create New:

My web server is (include version):

The operating system my web server runs on is (include version): Windows 2016

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes, CMD

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

win-acme 2.0.7.315

My last results: https://check-your-website.server-daten.de/?q=forms.wellbridge.com

Using Curl:
M:>curl https://forms.wellbridge.com:449
curl: (35) schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.

I have verified that port 80, 449 is open using the https://www.yougetsignal.com/tools/open-ports/

Whenever I go to https://forms.wellbridge.com:449 it gives the 'Your Connection Is Not Private' error. Looking at the certificate it says the CN=electronicformsrepository.wellbridge.com. Based on this and the curl message, I'm guessing the certificate is assigned to the wrong domain?

Both sites are on the same Windows 2016 server.
https://forms.wellbridge.com = 449, 8081
https://electronicformsrepository.wellbridge.com = 500, 8083

I'm not very familiar with certificates, IIS, but I'm the last IT guy. Not sure what I should do now? Should I somehow revoke everything?

2 Likes

1 Like

forms

2 Likes

Cert

2 Likes

Hi @arkhos

your wrong result is expected.

Your certificate has the electronic... domain name. But your binding has the forms - domain name.

--> Mismatch -> certificate is invalid.

Use this certificate with your other domain name.

4 Likes

OK, I created a New Certificate for just forms.wellbridge.com instead of for All Sites and it works now!

Thanks!

3 Likes