Auto Renew Fails Using Windows ACMEv2 Client and ACME DNS

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: Private Subdomain (internal.company.com)

I ran this command: wacs.exe --renew --baseuri “https://acme-v02.api.letsencrypt.org/

It produced this output:
[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.0.10.444 (RELEASE)
[INFO] IIS version 10.0
[INFO] Scheduled task looks healthy
[INFO] Please report issues at https://github.com/PKISharp/win-acme
[INFO] Renewing certificate for [IISBinding] internal.company.com
[INFO] Authorize identifier: internal.company.com
[INFO] Authorizing internal.company.com using http-01 validation (SelfHosting)
[EROR] {
“type”: “urn:ietf:params:acme:error:dns”,
“detail”: “No valid IP addresses found for internal.company.com”,
“status”: 400
}
[EROR] Authorization result: invalid
[EROR] Renewal for [IISBinding] internal.company.com failed, will retry on next run

My web server is (include version): IIS 10

The operating system my web server runs on is (include version): Windows Server 2016

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NA

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): win-acme.v2.0.10.444

So I am unable to auto renew using win-acme for a private subdomain certificate leveraging ACME DNS. I know it doesn’t have an external IP address as it is not supposed to be publicly available. Everything works when I create the certificate and use DNS challenge leveraging ACME DNS. This issue becomes when the scheduled task runs to auto renew and it seems to be using the http-01 validation method instead of dns-01.

Is there a way to write the command to enforce dns-01 validation instead of http-01? Is there something I’m missing or is this not even possible to auto renew a certificate leveraging Windows ACMEv2 client and ACME DNS without publishing an external IP address?

Any insight or help is very much appreciated.

Thank you,

1 Like

You should review (or post here for all to review) the contents of the settings.json file.

There may also be some helpful messages to be found in the log files:
%programdata%\win-acme\logs
{ConfigurationPath}\Log

Hi @gp_ob

if you want to use http validation

your domain must be public, with a public visible ip address.

If your ip address isn’t public, you can’t use http validation. May be dns validation is possible.

Read

1 Like

With acme-dns you create a specific CNAME (_acme-challenge.internal.company.com) in your DNS, this must be in your public DNS but internal.company.com itself doesn’t need to point to a public IP (or a website).

1 Like

Yep I created that CNAME record in my public DNS.

1 Like

Exactly, that’s what I think I need to use but I have not found how to modify the scheduled auto-renew command to leverage the dns validation.

1 Like

So after doing some digging, I found the renewal JSON file that needs to be updated. Running the --list command, this is the output:

Renewal -----------------------------------------------------------------
Id: KntgHiuDSETe0Q8K8NaVOQ
File: KntgHiuDSETe0Q8K8NaVOQ.renewal.json
FriendlyName: [Auto] [IISBinding] internal.company.com
.pfx password: pfxpassword removed
Renewal due: 2020/2/6 15:42:03
Renewed: 6 times
Target -----------------------------------------------------------------

  • Plugin: IISBinding - (Single binding of an IIS website)
  • Host: internal.company.com
  • SiteId: 1
    Validation -----------------------------------------------------------------
  • Plugin: SelfHosting - (Serve verification files from memory
    (recommended))
    CSR -----------------------------------------------------------------
  • Plugin: RSA - (RSA key)
    Store -----------------------------------------------------------------
  • Plugin: CertificateStore - (Windows Certificate Store)
    Installation -----------------------------------------------------------------
  • Plugin: IIS - (Create or update https bindings in IIS)

It shows that the Validation Plugin is set to Self-Hosting. I believe I can change the plugin on the renewal.json file but I don’t know where I can find the ValidationPluginOption guid for dns-01:

{

“Id”: “KntgHiuDSETe0Q8K8NaVOQ”,
“LastFriendlyName”: “[IISBinding] internal.company.com”,
“PfxPasswordProtected”: “pfxpassword removed”: {
“SiteId”: 1,
“Host”: “internal.company.com”,
“Plugin”: “2f5dd428-0f5d-4c8a-8fd0-56fc1b5985ce”
},
"ValidationPluginOptions": {
"Plugin": "c7d5e050-9363-4ba1-b3a8-931b31c618b7"
},
“CsrPluginOptions”: {
“Plugin”: “b9060d4b-c2d3-49ac-b37f-962e7c3cbe9d”
},
“StorePluginOptions”: [
{
“KeepExisting”: false,
“Plugin”: “e30adc8e-d756-4e16-a6f2-450f784b1a97”
}
],
“InstallationPluginOptions”: [
{
“Plugin”: “ea6a5be3-f8de-4d27-a6bd-750b619b2ee2”
}
],

Anyone know what that ValidationPluginOption guid is?

1 Like

While you’re trying things out I’d urge you to try https://certifytheweb.com - this is a Windows GUI I develop that does all this, it may be easier than wrestling config files.

Alternatively jump onto https://github.com/win-acme/win-acme/issues that’s the best place to ask win-acme questions.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.