[EROR] Create certificate failed: Authorization failed

Hello everyone,

I would like to install an SSL certificate on our IIS server using WACS 2.0.10
I tried different options but I still have the same error.
On the server there is a default website that is not used.
And two websites rm.nova-location.fr and rm-test.nova-location.fr.

If I use the WACS simplified mode I always get [EROR] Authorization timed out and the file “http-01 validation” is not created

If I use WACS as described below (by using Save verification files on (network) path), the file is created and I can access it via the url. But i always have an error.

Can anynone help me?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: rm.nova-location.fr, rm-test.nova-location.fr

I ran this command:

[INFO] Running in mode: Interactive, Advanced

Please specify how the list of domain names that will be included in the
certificate should be determined. If you choose for one of the “all bindings”
options, the list will automatically be updated for future renewals to reflect
the bindings at that time.

1: Single binding of an IIS website
2: All bindings of an IIS website

How shall we determine the domain(s) to include in the certificate?: 2

1: rm.nova-location.fr
2: rm-test.nova-location.fr
: Abort
Choose site: 1

1: rm.nova-location.fr
Press enter to include all listed hosts, or type a comma-separated lists of exclusions: Enter

[INFO] Target generated using plugin IISSite: rm.nova-location.fr

Suggested FriendlyName is ‘[IISSite] rm.nova-location.fr’, press enter to accept or type an alternative:

1: [http-01] Save verification files on (network) path
2: [http-01] Serve verification files from memory (recommended)
How would you like prove ownership for the domain(s) in the certificate?: 1

Path to the root of the site that will handle authentication
Leave empty to automatically read the path from IIS: C:\Program Files (x86)\AppWeb

After ownership of the domain(s) has been proven, we will create a Certificate
Signing Request (CSR) to obtain the actual certificate. The CSR determines
properties of the certificate like which (type of) key to use. If you are not
sure what to pick here, RSA is the safe default.

1: Elliptic Curve key
2: RSA key

What kind of private key should be used for the certificate?: 2

When we have the certificate, you can store in one or more ways to make it
accessible to your applications. The Windows Certificate Store is the default
location for IIS (unless you are managing a cluster of them).

1: IIS Central Certificate Store (.pfx per domain)
2: PEM encoded files (Apache, nginx, etc.)
3: Windows Certificate Store
C: Abort

How would you like to store the certificate?: 3

1: IIS Central Certificate Store (.pfx per domain)
2: PEM encoded files (Apache, nginx, etc.)
3: No additional storage steps required
C: Abort

Would you like to store it in another way too?: 3

  • With the certificate now saved to the store(s) of your choice, you may choose*
  • one or more steps to update your applications, e.g. to configure the new*
  • thumbprint, or to update bindings.*

1: Create or update https bindings in IIS
2: Start external script or program
3: Do not run any (extra) installation steps

Which installation step should run first?: 1

Use different site for installation? (y/n) - *

1: Start external script or program
2: Do not run any (extra) installation steps
Add another installation step?: 2

It produced this output:
[WARN] First chance error calling into ACME server, retrying with new nonce…
[INFO] Authorize identifier: rm.nova-location.fr
[INFO] Authorizing rm.nova-location.fr using http-01 validation (FileSystem)
[INFO] Answer should now be browsable at http://rm.nova-location.fr/.well-known/acme-challenge/ZnzGqz6Y8At2m567XhOe-Y45BP726FJhZSzVj3dGLp4
[INFO] Preliminary validation looks good, but ACME will be more thorough…
[EROR] Authorization timed out
[EROR] Create certificate failed: Authorization failed

My web server is (include version): *IIS *

The operating system my web server runs on is (include version): Windows Server

My hosting provider, if applicable, is: At home

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): ? WACS 2.0.10

Thanks for you help

Hi @13casa

there are older checks, created yesterday - https://check-your-website.server-daten.de/?q=rm.nova-location.fr

Only timeouts:

Domainname Http-Status redirect Sec. G
http://rm.nova-location.fr/ -14 10.037 T
Timeout - The operation has timed out
https://rm.nova-location.fr/ -14 10.030 T
Timeout - The operation has timed out
http://rm.nova-location.fr/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -14 10.047 T
Timeout - The operation has timed out

Is there a blocking firewall? Or a wrong port forward?

Port 80 must answer.

Checking the raw ip it's the same picture - https://check-your-website.server-daten.de/?q=

Only timeouts.

Is this a home server? Does your ISP blocks port 80?

Hello @JuergenAuer

You are really too fast.

I just hit that our firewall allow only some public IP to access the server.
That’s why I could access the file created for validation but I still had an error.

I lifted the restrictions and it works

For the test, I used your website yesterday :slight_smile:

Thank you

Sorry for this wasted time

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.