Certificate order marked as invalid

Help
#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: got-jena.de

I ran this command: an a ps script referring acme client to renew the certificate for autodiscover.got-jena.de and david.got-jena.de , then Get-PAOrder

It produced this output: got the message that Authorization for both is VALID, but Get-PAOrder -Refresh brings Order is NOT ready

My web server is (include version):IIS10

The operating system my web server runs on is (include version): MS Windows Server 2016

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2 Likes
#2

The topic title says "invalid", but the "output" shown says "VALID" and "NOT ready".
So, I don't know what to make of that.
Also, this is very vague:

It is difficult for anyone to help when they don't know exactly what you did nor with which tool.

I can see that both names resolve to the same IP and it seems to be handling the challenge requests as expected.

As a test, please place a test text file in the expected challenge location and then let's test access to it.
With something like:
curl -Ii autodiscover.got-jena.de/.well-known/acme-challenge/Test_File-1234
curl -Ii david.got-jena.de/.well-known/acme-challenge/Test_File-1234

[please be sure to NOT use any extension type on the file]

3 Likes
#3

Thanks for your response.
After some further investigation, we found where the issue was caused.
Although configuration was well and unchanged, the IIS failed to serve the binding for port 80, and this way the access to the virtual directory .well-known failed too for this port So only port 443 was served. It was a malfunction of the IIS, not a firewall issue (neither external nor internal).

We found when we checked the order details. We got there:
"urn:ietf:params:acme:error:unauthorized"
and:
"http://autodiscover.got-jena.de/.well-known/acme-challenge/jKDkTzV41gFJUZiJ8pRmB64Htr... :404"
.
This resulted with a status: "invalid" in the json File in the win-acme folder.

The solution was to restart the server (IIS service restart may have been enough).
After the restart it was working as expected. A very weird issue.
But anyway, thanks again.

2 Likes