Auto Renew Fails Using Windows ACMEv2 Client and ACME DNS

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: Private Subdomain (internal.company.com)

I ran this command: wacs.exe --renew --baseuri “https://acme-v02.api.letsencrypt.org/

It produced this output:
[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.0.10.444 (RELEASE)
[INFO] IIS version 10.0
[INFO] Scheduled task looks healthy
[INFO] Please report issues at https://github.com/PKISharp/win-acme
[INFO] Renewing certificate for [IISBinding] internal.company.com
[INFO] Authorize identifier: internal.company.com
[INFO] Authorizing internal.company.com using http-01 validation (SelfHosting)
[EROR] {
“type”: “urn:ietf:params:acme:error:dns”,
“detail”: “No valid IP addresses found for internal.company.com”,
“status”: 400
}
[EROR] Authorization result: invalid
[EROR] Renewal for [IISBinding] internal.company.com failed, will retry on next run

My web server is (include version): IIS 10

The operating system my web server runs on is (include version): Windows Server 2016

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NA

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): win-acme.v2.0.10.444

So I am unable to auto renew using win-acme for a private subdomain certificate leveraging ACME DNS. I know it doesn’t have an external IP address as it is not supposed to be publicly available. Everything works when I create the certificate and use DNS challenge leveraging ACME DNS. This issue becomes when the scheduled task runs to auto renew and it seems to be using the http-01 validation method instead of dns-01.

Is there a way to write the command to enforce dns-01 validation instead of http-01? Is there something I’m missing or is this not even possible to auto renew a certificate leveraging Windows ACMEv2 client and ACME DNS without publishing an external IP address?

Any insight or help is very much appreciated.

Thank you,

1 Like
3

You should review (or post here for all to review) the contents of the settings.json file.

There may also be some helpful messages to be found in the log files:
%programdata%\win-acme\logs
{ConfigurationPath}\Log

4

Hi @gp_ob

if you want to use http validation

your domain must be public, with a public visible ip address.

If your ip address isn't public, you can't use http validation. May be dns validation is possible.

Read

1 Like
5

With acme-dns you create a specific CNAME (_acme-challenge.internal.company.com) in your DNS, this must be in your public DNS but internal.company.com itself doesn’t need to point to a public IP (or a website).

1 Like
6

Yep I created that CNAME record in my public DNS.

1 Like
7

Exactly, that’s what I think I need to use but I have not found how to modify the scheduled auto-renew command to leverage the dns validation.

1 Like
8

So after doing some digging, I found the renewal JSON file that needs to be updated. Running the --list command, this is the output:

Renewal -----------------------------------------------------------------
Id: KntgHiuDSETe0Q8K8NaVOQ
File: KntgHiuDSETe0Q8K8NaVOQ.renewal.json
FriendlyName: [Auto] [IISBinding] internal.company.com
.pfx password: pfxpassword removed
Renewal due: 2020/2/6 15:42:03
Renewed: 6 times
Target -----------------------------------------------------------------

  • Plugin: IISBinding - (Single binding of an IIS website)
  • Host: internal.company.com
  • SiteId: 1
    Validation -----------------------------------------------------------------
  • Plugin: SelfHosting - (Serve verification files from memory
    (recommended))
    CSR -----------------------------------------------------------------
  • Plugin: RSA - (RSA key)
    Store -----------------------------------------------------------------
  • Plugin: CertificateStore - (Windows Certificate Store)
    Installation -----------------------------------------------------------------
  • Plugin: IIS - (Create or update https bindings in IIS)

It shows that the Validation Plugin is set to Self-Hosting. I believe I can change the plugin on the renewal.json file but I don’t know where I can find the ValidationPluginOption guid for dns-01:

{

“Id”: “KntgHiuDSETe0Q8K8NaVOQ”,
“LastFriendlyName”: “[IISBinding] internal.company.com”,
“PfxPasswordProtected”: “pfxpassword removed”: {
“SiteId”: 1,
“Host”: “internal.company.com”,
“Plugin”: “2f5dd428-0f5d-4c8a-8fd0-56fc1b5985ce”
},
"ValidationPluginOptions": {
"Plugin": "c7d5e050-9363-4ba1-b3a8-931b31c618b7"
},
“CsrPluginOptions”: {
“Plugin”: “b9060d4b-c2d3-49ac-b37f-962e7c3cbe9d”
},
“StorePluginOptions”: [
{
“KeepExisting”: false,
“Plugin”: “e30adc8e-d756-4e16-a6f2-450f784b1a97”
}
],
“InstallationPluginOptions”: [
{
“Plugin”: “ea6a5be3-f8de-4d27-a6bd-750b619b2ee2”
}
],

Anyone know what that ValidationPluginOption guid is?

1 Like
9

While you’re trying things out I’d urge you to try https://certifytheweb.com - this is a Windows GUI I develop that does all this, it may be easier than wrestling config files.

Alternatively jump onto https://github.com/win-acme/win-acme/issues that’s the best place to ask win-acme questions.

10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.