Cannot Renew - Server 2016 Exchange 2016

Server: Windows 2016
Web: On_Prem Exchange/IIS

My domain is: autodiscover.dmctools.com and 6 other subdomains.

I originally had a scheduled task to renew, but it started failing and I didn’t realize until it was too late. The autorenew command was wacs.exe --renew --baseuri “https://acme-v02.api.letsencrypt.org/

Task output: Task Scheduler successfully completed task “\win-acme renew (acme-v02.api.letsencrypt.org)” , instance “{78391ef9-7458-432a-b6a9-01756b0778a4}” , action “D:\LetsEncrypt\wacs.exe” with return code 2147516570.

When attempting to renew manually, I received the errors below.

Unable to refresh cached order: JWS has an invalid anti-replay nonce: “0002nSVfeD9rItOwtRbZWKWAJBVo9Wd_8tRTyhGCGjh7xmQ”
Cached authorization result for autodiscover.dmctools.com: valid
Cached authorization result for exchange.dmctools.com: valid
Cached authorization result for mail.dmctools.com: valid
Cached authorization result for mobile.dmctools.com: valid
Cached authorization result for owa.dmctools.com: valid
Authorize identifier webmail.dmctools.com
Authorizing webmail.dmctools.com using http-01 validation (FileSystem)
Answer should now be browsable at http://webmail.dmctools.com/.well-known/acme-challenge/k367DSz4nlkg8z_BVPaL9Ued_BVq_cHGzaH2KEVTbiw
Preliminary validation failed, the server answered ‘(null)’ instead of ‘k367DSz4nlkg8z_BVPaL9Ued_BVq_cHGzaH2KEVTbiw.7iN1DWaYDPmQjyNvQ1ZwDZDQf8yaRRh8UGOO3AejmeE’. The ACME server might have a different perspective
{
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://webmail.dmctools.com/.well-known/acme-challenge/k367DSz4nlkg8z_BVPaL9Ued_BVq_cHGzaH2KEVTbiw: Timeout during connect (likely firewall problem)”,
“status”: 400
}
Authorization result: invalid

I was using wacs.exe V2.1.7.807
Also tried using v2.1.8.835

Same issue, it will not renew, always get an error code with timeout. Firewall is off. Although that page is not browsable at all. I have never had to go to that page before so I cannot say whether it worked or not in the past.

Any help would be awesome! I have people breathing down my neck right now.

2 Likes

Hi @dmctools

a working port 80 is required to create a certificate if you want to use http validation.

Is there a webserver with that domain name and a port 80 binding defined?

If not, create one.

PS: Same with all of your other domains.

2 Likes

Did something change in the way wacs renews? This just started happening this month. It worked fine before and I never had to make MYSUBDOMAINS.mydomain.com available on port 80. it is only available via https.

Please read the basics.

2 Likes

Thank you,

I have created those subdomaind in IIS and they are viewable locally but it still fails. Do I need to temporarily open that up to the outside to validate? I see it creates the files for each sub, then removes them when it fails.

EDIT: I read the error/warning, yes it does.

They are accessable, but still cannot validate.
Domain: mobile.dmctools.com
Type: unauthorized
Detail: Invalid response from
http://mobile.dmctools.com/.well-known/acme-challenge/IoiDjcaqHMoyD83SoKCTWKIRaOmrYamxEj0RUhpz9Z8
[75.112.23.110]: "\r\n<html
xmlns=“http”

2 Likes

I ended up switching from certbot back to wacs.exe and it worked.

Thank you!

3 Likes

Yep, now there is a http answer.

http validation -> working port 80 is required.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.