Hi,
I am trying to get a password on a Windows Server. I am running Win-Acme tool.
My domain is: app.home.tilsch.it
I ran this command: using win-acme tool with remote file storage for authantication
It produced this output:
[INFO] Authorize identifier: app.home.tilsch.it
[INFO] Authorizing app.home.tilsch.it using http-01 validation (FileSystem)
[INFO] Answer should now be browsable at http://app.home.tilsch.it/.well-known/acme-challenge/QE7Km8paWonguwybZYRtNMNjSoKXz_kLy-3p5pPF_l0
[INFO] Preliminary validation looks good, but ACME will be more thorough…
[EROR] Authorization timed out
[EROR] Create certificate failed: Authorization failed
My web server is (include version):
IIS 8.5
The operating system my web server runs on is (include version):
Windows Server 2012 R2
My hosting provider, if applicable, is: n/a
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): win-acme v2.0.4.227
I am getting the same timeout, when I choose the DNS method.
What is it checking more thoroughly?
I'm not a Win-ACME expert; So I have some questions/concerns that may help clarify the problem (to me and also to other readers)…
To better understand the problem (and help facilitate reaching a proper solution), I think you may need to be more specific about the exact command line options included.
And/or maybe also try posting directly to the Win-ACME community:
Also, you acknowledge the use of a control panel; But fail to mention exactly which one (and any details - version, etc.):
Hi, I did not post any additional details, since I think none of it is relevant. I used mmc to configure the IIS. The file is accessible, so the IIS config is ok.
I don’t understand, why it says:
Preliminary validation looks good, but ACME will be more thorough…
and then times out with no information on what is checked additionally.
And now we even have less than what you see to work with.
I doubt there is anyone on this forum that can say anything specific about the problem you describe (including the information provided).
To you...
To everyone else (who has no clue on exactly... everything about this problem), every little piece of information is relevant.
Unfortunately, it looks like the logs from win-acme aren't detailed enough here. When an authorization fails, the certificate authority returns a message explaining why it failed. But here win-acme apparently received that message but failed to include it in the log. That makes it hard to be sure of the reason; it would be helpful to find a way to make win-acme create more verbose logs, if possible.
A likely explanation for your problem is that your DNS server doesn't understand CAA records.
For more information about this problem, please see
This document thoroughly explains the situation about CAA. The most relevant section may be
Since Let’s Encrypt checks CAA records before every certificate we issue, sometimes we get errors even for domains that haven’t set any CAA records. When we get an error, there’s no way to tell whether we are allowed to issue for the affected domain, since there could be CAA records present that forbid issuance, but are not visible because of the error. If you receive CAA-related errors, try a few more times against our staging environment to see if they are temporary or permanent. If they are permanent, you will need to file a support issue with your DNS provider, or switch providers. If you’re not sure who your DNS provider is, ask your hosting provider. Some DNS providers that are unfamiliar with CAA initially reply to problem reports with “We do not support CAA records.” Your DNS provider does not need to specifically support CAA records; it only needs to reply with a NOERROR response for unknown query types (including CAA). Returning other opcodes, including NOTIMP, for unrecognized qtypes is a violation of RFC 1035, and needs to be fixed.
@rg305 Sorry, that my uneducated questions bother you. I still appreciate you investing your time. I am completely new to letsencrypt and hoped for a starting point or obvious mistake.
@schoen Thank you for the hint regarding more verbose output. I will check if there is such thing and thank you as well for the hint regarding CAA records.
When I manually call that link, the following is displayed:
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:dns”,
“detail”: “DNS problem: SERVFAIL looking up CAA for home.tilsch.it”,
“status”: 400
So you rightfully pointed at CAA problems.
I will need to find out what is causing this problem. Thank you all so far
I have no problem with the questions.
As stated, I only seem to "have a problem" with the lack of information provided to enable anyone to clearly understand the actual problem.
We are here to help; But you have to help us help you.
@JuergenAuer Which tool did you use to analyse my DNS servers so detailed? Letsdebug just gives me a fatal error. I raised the issue with my DNS provide, but he did not give me detailed reply nor feedback.
