Certificate renewal failed

Hello Everyone,

For ADFS server, I obtained the certificate in July 2020. No issue with the renewal which is set by task scheduler to run daily. It was working fine till 4th Sep 2020. From 5th Sep the daily renewal task failed and I looked at the log. Here is the screenshot of the error.

I did not change anything within the server. Had to restart after installing few updates in Sep 2020. Appreciate, if you can look at the error and let me know how to fix.

Thanks

Ram

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ramlan.ca

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hello Ram :slightly_smiling_face:

I've done some checking and don't see any imminent reason why your renewal should fail. We'll keep looking though.

The reason the renewal task was working fine until then was because your certificate was not yet 60 days old, so the renewal task was not attempting to acquire a new certificate.

Your ADFS server is serving the wrong certificate. It is also using an obsolete cipher suite and serving mixed content (referenced content that is not served over https). These issues should not prevent renewal of the correct certificate though.

1 Like

@griffin - Thanks for the info.

This is a lab environment and not production. So, I will wait for the renewal to complete next month. If the renewal fails what option do, I have - that is create a new certificate request or try to renew the certificate through acme?

Thanks

Ram

You are currently use win-acme, so you are using an ACME client for your acquisitions and renewals. This process should be no different in mechanics than when you acquire a new certificate. Renewal fails = new fails. Can you create a file named "test" (with no extension) containing the phrase "Let's Encrypt" in /.well-known/acme-challenge/ in your webroot directory? This will let us test access to that.

@griffin - You mean at this locations - c:\inetpub or c:\programdata\win-acme?

Should be c:\inetpub

I assume that's the directory containing your "home page".

c:\inetpub\.well-known\acme-challenge\test

I have created a file called Test containing phrase Let's Encrypt - Here is the screenshot.

You need to:

  1. Create a folder in your root called .well-known.
  2. Create a folder in .well-known called acme-challenge.
  3. Move your Test file to the acme-challenge folder.

Is inetpub the folder where your AFS website starts or is it the adfs.ramlan.ca folder?

Then move the .well-known folder and all its contents into the adfs.ramlan.ca folder.

There must be a period (.) in front of well-known in the folder name.

2

I can't seem to access the file when I visit:

http://adfs.ramlan.ca/.well-known/acme-challenge/Test

Try creating a file called web.config in the acme-challenge folder containing the following:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<staticContent>
<mimeMap fileExtension="." mimeType="text/xml" />
</staticContent>
</system.webServer>
</configuration>

This will allow your webserver to serve extensionless files.

That is strange. adfs.ramlan.ca is pointing to public ip at GoDaddy.

I'm seeing that too. Didn't see that before. :thinking:

Looks good.

I'm wondering though...

Are the folders you're modifying actually being served? That IP address in your DNS seems like it would preclude access to what we've created.

There is nothing inside the folder. Just a single file called index.html. I created this folder during certificate request so that the request will complete successfully.

So with this setting the renewal should work? Can, I try using acme command?

Until I can see the Test file, we won't know for sure.

http://adfs.ramlan.ca/.well-known/acme-challenge/Test