Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: Private Subdomain (internal.company.com)
I ran this command: wacs.exe --renew --baseuri “https://acme-v02.api.letsencrypt.org/”
It produced this output:
[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 188.8.131.524 (RELEASE)
[INFO] IIS version 10.0
[INFO] Scheduled task looks healthy
[INFO] Please report issues at https://github.com/PKISharp/win-acme
[INFO] Renewing certificate for [IISBinding] internal.company.com
[INFO] Authorize identifier: internal.company.com
[INFO] Authorizing internal.company.com using http-01 validation (SelfHosting)
“detail”: “No valid IP addresses found for internal.company.com”,
[EROR] Authorization result: invalid
[EROR] Renewal for [IISBinding] internal.company.com failed, will retry on next run
My web server is (include version): IIS 10
The operating system my web server runs on is (include version): Windows Server 2016
My hosting provider, if applicable, is: NA
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NA
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you’re using Certbot): win-acme.v184.108.40.2064
So I am unable to auto renew using win-acme for a private subdomain certificate leveraging ACME DNS. I know it doesn’t have an external IP address as it is not supposed to be publicly available. Everything works when I create the certificate and use DNS challenge leveraging ACME DNS. This issue becomes when the scheduled task runs to auto renew and it seems to be using the http-01 validation method instead of dns-01.
Is there a way to write the command to enforce dns-01 validation instead of http-01? Is there something I’m missing or is this not even possible to auto renew a certificate leveraging Windows ACMEv2 client and ACME DNS without publishing an external IP address?
Any insight or help is very much appreciated.