Cann`t renew certificate on ACMESharp


Please help!!!
For renew i did next command
Get-ACMEExtensionModule | Select-Object -Expand Name
Complete-ACMEChallenge -IdentifierRef www-example-com -ChallengeType http-01 -Handler iis -HandlerParameters @{ WebSiteRef = ‘example’ }

On this step i get error
Complete-ACMEChallenge : authorization is not in pending state; use Force flag to override this validation

What do i need do?


Yes, I started taking the first steps to changing the certificate
But already at the stage Complete-ACMEChallenge there were errors or I do not do those actions certificate?
When i did
New-ACMECertificate -Generate -IdentifierRef www-example-com -Alias cert-example1-domains
Submit-ACMECertificate -CertificateRef cert-example1-domains
I get
Submit-ACMECertificate : Error creating new cert :: authorizations for these names not found or


Looks like your validation got in a weird state.

Try adding -Refresh to your Complete-ACMEChallenge command so AcmeSharp won’t try and use the broken, cached one:

Complete-ACMEChallenge -IdentifierRef www-example-com -ChallengeType http-01 -Handler iis -HandlerParameters @{ WebSiteRef = ‘example’ } -Refresh


The trick to renewing is just to run the process again but with a different Identifier Ref passed into New-ACME Identifier. Run through the process again and you have a new certificate.


I found the right sequence of commands
Import-Module ACMESharp

New-ACMEIdentifier -Dns -Alias example1

Complete-ACMEChallenge example1 -ChallengeType http-01 -Handler iis -HandlerParameters @{ WebSiteRef = ‘’ }

Submit-ACMEChallenge -IdentifierRef example1 -ChallengeType http-01

Update-ACMEIdentifier -IdentifierRef example1

New-ACMEIdentifier -Dns -Alias example11

Complete-ACMEChallenge example11 -ChallengeType http-01 -Handler iis -HandlerParameters @{ WebSiteRef = ‘’ }

Submit-ACMEChallenge -IdentifierRef example11 -ChallengeType http-01

Update-ACMEIdentifier -IdentifierRef example11

New-ACMECertificate -Generate -IdentifierRef example1 -AlternativeIdentifierRefs @(‘example11’) -Alias cert-example1

Submit-ACMECertificate -CertificateRef cert-example1

Update-ACMECertificate -CertificateRef cert-example1

Get-ACMEInstallerProfile -ListInstallers

Install-ACMECertificate -CertificateRef cert-example1 -Installer iis -InstallerParameters @{
WebSiteRef = ‘

I hope that to someone else will help
thank you all for participating in the discussion


Yes, you will keep the domain name but change the alias.

New-ACMEIdentifier -Dns -Alias something-else

The alias is a name you create. It does not mean anything. It is an identifier that links some information needed by Let’s Encrypt with your domain name.

My recommendation is that you add the date to the alias. Something like:

New-ACMEIdentifier -Dns -Alias “”


I’m sorry I’d have to take issue with the comment that ‘none of them are very complete’! Certify The Web ( - which is my own app for Let’s Encrypt certificate on Windows has been stable for over a year and the new v4 beta supports wildcard certs and DNS validation etc.

If you specifically need/want to script your renewal (because you have deep integration into other processes/workflows) then low-level tools like ACMESharp are invaluable. If you just want a cert for your IIS website then I’d suggest re-evaluating the high level tools available now. Even if you want to do custom scripting after your renewal the actual cert request/renewal part can be handled for you.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.