Certificate renewal fails due to challenge authorisation failed during renewal

ffletsencrypt · March 24, 2020, 10:57am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: news.celebsnow-competitions.co.uk

I ran this command: wacs.exe --renew --baseuri “https://acme-v02.api.letsencrypt.org/”

It produced this output: failed with error Authorization failed , will retry on next run.

My web server is (include version):IIS 10 and IIS-8

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): windows 2019 and 2012R2

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): wacs.exe (version 2.1.2.641 , win-acme)

ffletsencrypt · March 24, 2020, 11:13am

Isn’t it that, challenge (.well-known/acme-challenge…) authorisation is only performed during new SSL certificate request and not during renewal?
We have multiple servers for load balancing and win-acme (WACS.exe) is installed on both server.
We only perform public traffic re-route to each servers in the order of the server which is requesting for new SSL, to pass ACME Challenge authorisation but we do not perform this public traffic re-route during SSL renewal. We noticed some certificates renews without any issue but some certificate fails as it goes through challenge authorisation.
The command we used to request new SSL certificate is: wacs.exe --Verbose --target iis --installation iis --siteid “ID” --host “$SSL_Name” --commonname “$SSL_Name” --id “$SSL_Name” --installationsiteid “ID”

Renewal is scheduled via windows scheduler using the command: wacs.exe --renew --baseuri “https://acme-v02.api.letsencrypt.org/”
As mentioned some certificates get renewed without challenge and some failed due to challenge is performed.

rg305 · March 24, 2020, 4:43pm

It is always done* (for new and renew).

Note*: Authorizations can be good for up to 30 days. So subsequent requests on that same FQDN may not need to be authorized within that time.

If possible, I would route (or proxy) all HTTP traffic to one single system; and handle all the authorizations there.
HTTPS should remain load-balanced (as usual).

ffletsencrypt · March 24, 2020, 5:51pm

Thanks for your reply.

How can we get the certificates to renew after 30days instead of waiting for default renewal time? is it RenealDays:30 in settings.jason file

9peppe · March 24, 2020, 6:56pm

This depends on your ACME client (the software you use to get certificates). Is it WACS.exe?

You should check its manual.

system · April 23, 2020, 6:56pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.