[EROR] [sys.azoom.uk] Authorization result: pending

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
sys.azoom.uk

I ran this command:
wacs.exe --test --verbose

It produced this output:

#########################START OF LINE#########################
Create certificate failed, retry? (y/n*) - yes

[DBUG] Scanning IIS bindings for hosts
[VERB] 1 named bindings found in IIS
[DBUG] Filtering based on binding type
[DBUG] Filtering by site(s) [1]
[VERB] 1 bindings remaining after site filter
[VERB] No host filter applied
[VERB] 1 matching binding found
[DBUG] Scanning IIS sites
[VERB] Targeted convert into 1 order(s)
[VERB] Checking [IIS] Default Web Site, (any host)
[VERB] Handle order 1/1: Main
[DBUG] Refreshing cached order
[DBUG] Refreshing order...
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/order/48486588/2155828958
[VERB] Request completed with status OK
[WARN] Cached order has status invalid, discarding
[VERB] Creating order for hosts: ["DnsName: sys.azoom.uk"]
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/new-order
[VERB] Request completed with status Created
[VERB] Order https://acme-staging-v02.api.letsencrypt.org/acme/order/48486588/2155838008 created
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/2037176188
[VERB] Request completed with status OK
[VERB] Handle authorization 1/1
[INFO] [sys.azoom.uk] Authorizing...
[VERB] [sys.azoom.uk] Initial authorization status: pending
[VERB] [sys.azoom.uk] Challenge types available: ["http-01", "dns-01", "tls-alpn-01"]
[VERB] [sys.azoom.uk] Initial challenge status: pending
[INFO] [sys.azoom.uk] Authorizing using http-01 validation (SelfHosting)
[VERB] Starting commit stage
[VERB] Commit was succesful
[DBUG] [sys.azoom.uk] Submitting challenge answer
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037176188/sXrsCw
[VERB] Request completed with status OK
[VERB] SelfHosting plugin serving file /.well-known/acme-challenge/VIV7DSvgFOu7B9sDHeKz5gHOjLxvwMR2DcwaUqGj30M
[VERB] SelfHosting plugin serving file /.well-known/acme-challenge/VIV7DSvgFOu7B9sDHeKz5gHOjLxvwMR2DcwaUqGj30M
[VERB] SelfHosting plugin serving file /.well-known/acme-challenge/VIV7DSvgFOu7B9sDHeKz5gHOjLxvwMR2DcwaUqGj30M
[VERB] SelfHosting plugin serving file /.well-known/acme-challenge/VIV7DSvgFOu7B9sDHeKz5gHOjLxvwMR2DcwaUqGj30M
[DBUG] Refreshing authorization (1/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037176188/sXrsCw
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (2/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037176188/sXrsCw
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (3/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037176188/sXrsCw
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (4/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037176188/sXrsCw
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (5/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037176188/sXrsCw
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (6/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037176188/sXrsCw
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (7/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037176188/sXrsCw
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (8/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037176188/sXrsCw
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (9/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037176188/sXrsCw
[VERB] Request completed with status OK
[EROR] [sys.azoom.uk] Authorization result: invalid
[EROR] [sys.azoom.uk] {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Error reading HTTP response body: context deadline exceeded",
"status": 403
}
[VERB] Starting post-validation cleanup
[VERB] Post-validation cleanup was succesful

Create certificate failed, retry? (y/n*)

[DBUG] Scanning IIS bindings for hosts
[VERB] 1 named bindings found in IIS
[DBUG] Filtering based on binding type
[DBUG] Filtering by site(s) [1]
[VERB] 1 bindings remaining after site filter
[VERB] No host filter applied
[VERB] 1 matching binding found
[DBUG] Scanning IIS sites
[VERB] Targeted convert into 1 order(s)
[VERB] Checking [IIS] Default Web Site, (any host)
[VERB] Handle order 1/1: Main
[DBUG] Refreshing cached order
[DBUG] Refreshing order...
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/order/48486588/2155846498
[VERB] Request completed with status OK
[WARN] Cached order has status invalid, discarding
[VERB] Creating order for hosts: ["DnsName: sys.azoom.uk"]
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/new-order
[VERB] Request completed with status Created
[VERB] Order https://acme-staging-v02.api.letsencrypt.org/acme/order/48486588/2155853258 created
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/2037190588
[VERB] Request completed with status OK
[VERB] Handle authorization 1/1
[INFO] [sys.azoom.uk] Authorizing...
[VERB] [sys.azoom.uk] Initial authorization status: pending
[VERB] [sys.azoom.uk] Challenge types available: ["http-01", "dns-01", "tls-alpn-01"]
[VERB] [sys.azoom.uk] Initial challenge status: pending
[INFO] [sys.azoom.uk] Authorizing using http-01 validation (SelfHosting)
[VERB] Starting commit stage
[VERB] Commit was succesful
[DBUG] [sys.azoom.uk] Submitting challenge answer
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037190588/LeYsrg
[VERB] Request completed with status OK
[VERB] SelfHosting plugin serving file /.well-known/acme-challenge/bAAQslWU_BhWMTDo_iBE0VpD-Orgsz3bns5zyJcUxMw
[VERB] SelfHosting plugin serving file /.well-known/acme-challenge/bAAQslWU_BhWMTDo_iBE0VpD-Orgsz3bns5zyJcUxMw
[VERB] SelfHosting plugin serving file /.well-known/acme-challenge/bAAQslWU_BhWMTDo_iBE0VpD-Orgsz3bns5zyJcUxMw
[DBUG] Refreshing authorization (1/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037190588/LeYsrg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (2/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037190588/LeYsrg
[VERB] SelfHosting plugin serving file /.well-known/acme-challenge/bAAQslWU_BhWMTDo_iBE0VpD-Orgsz3bns5zyJcUxMw
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (3/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037190588/LeYsrg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (4/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037190588/LeYsrg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (5/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037190588/LeYsrg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (6/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037190588/LeYsrg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (7/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037190588/LeYsrg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (8/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037190588/LeYsrg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (9/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037190588/LeYsrg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (10/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037190588/LeYsrg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (11/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037190588/LeYsrg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (12/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037190588/LeYsrg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (13/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037190588/LeYsrg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (14/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037190588/LeYsrg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (15/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037190588/LeYsrg
[VERB] Request completed with status OK
[EROR] [sys.azoom.uk] Authorization result: pending
[VERB] Starting post-validation cleanup
[VERB] Post-validation cleanup was succesful

Create certificate failed, retry? (y/n*) - yes

[DBUG] Scanning IIS bindings for hosts
[VERB] 1 named bindings found in IIS
[DBUG] Filtering based on binding type
[DBUG] Filtering by site(s) [1]
[VERB] 1 bindings remaining after site filter
[VERB] No host filter applied
[VERB] 1 matching binding found
[DBUG] Scanning IIS sites
[VERB] Targeted convert into 1 order(s)
[VERB] Checking [IIS] Default Web Site, (any host)
[VERB] Handle order 1/1: Main
[DBUG] Refreshing cached order
[DBUG] Refreshing order...
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/order/48486588/2155853258
[VERB] Request completed with status BadRequest
[WARN] First chance error calling into ACME server, retrying with new nonce...
[DBUG] Send HEAD to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce
[VERB] Request completed with status OK
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/order/48486588/2155853258
[VERB] Request completed with status OK
[WARN] Cached order has status invalid, discarding
[VERB] Creating order for hosts: ["DnsName: sys.azoom.uk"]
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/new-order
[VERB] Request completed with status Created
[VERB] Order https://acme-staging-v02.api.letsencrypt.org/acme/order/48486588/2156134328 created
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/2037468328
[VERB] Request completed with status OK
[VERB] Handle authorization 1/1
[INFO] [sys.azoom.uk] Authorizing...
[VERB] [sys.azoom.uk] Initial authorization status: pending
[VERB] [sys.azoom.uk] Challenge types available: ["http-01", "dns-01", "tls-alpn-01"]
[VERB] [sys.azoom.uk] Initial challenge status: pending
[INFO] [sys.azoom.uk] Authorizing using http-01 validation (SelfHosting)
[VERB] Starting commit stage
[VERB] Commit was succesful
[DBUG] [sys.azoom.uk] Submitting challenge answer
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037468328/StM2Gg
[VERB] Request completed with status OK
[VERB] SelfHosting plugin serving file /.well-known/acme-challenge/UJRYi7BlECltIf4ADrhNuUQxvY7I_Cy1V0kUkYZKKSc
[VERB] SelfHosting plugin serving file /.well-known/acme-challenge/UJRYi7BlECltIf4ADrhNuUQxvY7I_Cy1V0kUkYZKKSc
[VERB] SelfHosting plugin serving file /.well-known/acme-challenge/UJRYi7BlECltIf4ADrhNuUQxvY7I_Cy1V0kUkYZKKSc
[DBUG] Refreshing authorization (1/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037468328/StM2Gg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (2/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037468328/StM2Gg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (3/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037468328/StM2Gg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (4/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037468328/StM2Gg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (5/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037468328/StM2Gg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (6/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037468328/StM2Gg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (7/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037468328/StM2Gg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (8/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037468328/StM2Gg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (9/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037468328/StM2Gg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (10/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037468328/StM2Gg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (11/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037468328/StM2Gg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (12/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037468328/StM2Gg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (13/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037468328/StM2Gg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (14/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037468328/StM2Gg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (15/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2037468328/StM2Gg
[VERB] Request completed with status OK
[EROR] [sys.azoom.uk] Authorization result: pending
[VERB] Starting post-validation cleanup
[VERB] Post-validation cleanup was succesful

Create certificate failed, retry? (y/n*) - no

[EROR] Create certificate failed: [sys.azoom.uk] Validation failed
- No certificate generated

N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (0 total)
O: More options...
Q: Quit

Please choose from the menu: Q

#########################END OF LINE#########################

My web server is (include version):
IIS 10

The operating system my web server runs on is (include version):
Windows Server 2019 Std

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
User has Administrator rights

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No. Have direct access to IIS Manager

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
C:\Win-ACME>wacs.exe --version

A simple Windows ACMEv2 client (WACS)
Software version 2.1.20.1185 (release, trimmed, standalone, 64-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...

Hi guys, i thought my 5 years exp will help to get Let's Encrypt but there's no other words that can describe this other than help!!!

Well, the underlying error here is:

Error reading HTTP response body: context deadline exceeded

Let's Encrypt is trying to connect to your webserver to download this URL (which no longer exists): http://sys.azoom.uk/.well-known/acme-challenge/bAAQslWU_BhWMTDo_iBE0VpD-Orgsz3bns5zyJcUxMw.

According to the message above, Let's Encrypt is unable to download the file within a reasonable amount of time, and we have the resulting time-out error.

1 Like

Looks like a problem with Let's Encrypt staging. Your authorization is stuck at pending and wacs takes 15 attempts at refreshing it then gives up. I note that you're using authentication on your site but /.well-known/acme-challenge/test resolves ok (to a 404). wacs is self hosting so it will run it's own http challenge response during validation anyway.

I assume you're not doing any creative filtering of traffic based on IP addresses etc (malware blocking, geographic filtering etc) - these things are susceptible to blocking stuff you actually want to get through.

2 Likes

Hi @_az, is there any way to

  1. Increase the timeout
  2. Verify whether the hash key file is ever generated?
  3. I've manually created a html on /.well-known/acme-challenge/test.html which you can browse it publicly, does IIS permission have anything to do with this?

I've enabled anonymous authentication with 'Application Pool Identity' on the /.well-known/acme-challenge path but still saying cert is not downloaded

I've also retried and it went through 15 auth attempts. Thing is, while it was running, i browsed manually to the /.well-known/acme-challenge/ path and enabled 'hidden files view', and still did not see any such hash file created. But it didn't prompt fail /error that writing or reading the hash file

I've also enabled W3SVC logging and here i've pasted the logs here:

https://drive.google.com/drive/folders/17vm88IuJ8uMNITUpWTapV2s6clxSrvn2?usp=sharing

From the link there's auth errors even though i've already enabled anonymous authentication as commented to @_az earlier

Replying to your comment earlier, there's no geolocation-based filtering applied yet, no A/V installed, even the FW and defender is disabled to scope down the issue

HELPPPP please

Try placing a file there that doesn't have any extension.

2 Likes

No, I think it's fixed to around 10 seconds or so.

Based on what @webprofusion is saying, the request is being handled by WACS' self-hosted standalone server, so nothing would be created on the filesystem.

Looking at the XML files you uploaded, is there any chance you can temporarily disable the Dynamic IP Restrictions (DIPR) module in IIS, and try again?

1 Like

As far as I know the requests shouldn't be hitting IIS at all (this would still work even if IIS wasn't installed) as the wacs self-hosting implementation uses a standard .net http listener (via http.sys), so it seems more like the listener is not activating properly.

Reboot the machine to make sure there are no stuck processes.

I'd suggest giving https://certifytheweb.com a try on the same machine and see if that works for the same site or not. In that you just need to add a new managed certificate, select your IIS site then click Request Certificate. During http validation you should be able to browse to http://sys.azoom.uk/.well-known/acme-challenge/configcheck to test that the http challenge listener is working. If that still doesn't work you can just uninstall it and continue to try to debug wacs instead.

3 Likes

Yup done, no problem

created a file without an extension. windows prompt that the file might be 'not working' but still proceed. Then i edit the file adding some content into it, save it..all doesn't prompt any issues

But on the node from IIS Manager, i don't see DIPR

Just wondering if the self-sign HTTPS is already enabled without giving problems?

If the requests is not being served by IIS, it should not conflict the port 80 thats already listening by the IIS. So at this point, is the wacs client is creating a socket to perform the validation requests. I have rebooted the machine a couple of times but a couple more doesn't hurt. will do it afterwards

So, what i'll do after this is:

  1. Reboot
  2. Execute wacs again
  3. If #2 still fails at 3rd try, i'll proceed to the article https://certifytheweb.com @webprofusion shared

did a reboot, still failing as per below:

OUTPUT START

PS C:\Win-ACME> .\wacs.exe --test --verbose
[VERB] Verbose mode logging enabled
[VERB] ExePath: C:\Win-ACME\wacs.exe
[VERB] ResourcePath: C:\Win-ACME
[VERB] PluginPath: C:\Win-ACME
[VERB] Looking for settings.json in C:\Win-ACME
[DBUG] Config folder: C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org
[DBUG] Log path: C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Log
[DBUG] Cache path: C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Certificates
[DBUG] secrets.json not found
[VERB] Arguments: --test --verbose
[DBUG] Renewal period: 55 days
[VERB] Sending e-mails False

[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.1.20.1185 (release, trimmed, standalone, 64-bit)
[INFO] Connecting to https://acme-staging-v02.api.letsencrypt.org/...
[VERB] SecurityProtocol setting: SystemDefault
[DBUG] Send GET to https://acme-staging-v02.api.letsencrypt.org/directory
[VERB] Request completed with status OK
[DBUG] Connection OK!
[DBUG] IIS version 10.0
[DBUG] Running with administrator credentials
[WARN] Scheduled task not configured yet
[INFO] Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)
[VERB] Unicode display test: Chinese/語言 Russian/язык Arab/لغة

N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (0 total)
O: More options...
Q: Quit

Please choose from the menu: N

[INFO] Running in mode: Interactive, Simple, Test
[VERB] Adding 8.8.8.8 as DNS server
[VERB] Adding 1.1.1.1 as DNS server
[VERB] Adding 8.8.4.4 as DNS server
[DBUG] Scanning IIS sites
[DBUG] Scanning IIS bindings for hosts

Please select which website(s) should be scanned for host names. You may
input one or more site identifiers (comma-separated) to filter by those
sites, or alternatively leave the input empty to scan all websites.

1: Default Web Site (1 binding)

Site identifier(s) or to choose all: 1

[VERB] 1 named bindings found in IIS
[DBUG] Filtering based on binding type
[DBUG] Filtering by site(s) [1]
[VERB] 1 bindings remaining after site filter
[VERB] No host filter applied
[VERB] 1 matching binding found

1: sys.azoom.uk (Site 1)

Listed above are the bindings found on the selected site(s). By default all
of them will be included, but you may either pick specific ones by typing the
host names or identifiers (comma-separated) or filter them using one of the
options from the menu.

P: Pick bindings based on a search pattern
A: Pick all bindings

Binding identifiers(s) or menu option: A

[VERB] 1 named bindings found in IIS
[DBUG] Filtering based on binding type
[DBUG] Filtering by site(s) [1]
[VERB] 1 bindings remaining after site filter
[VERB] No host filter applied
[VERB] 1 matching binding found
[VERB] 1 named bindings found in IIS
[DBUG] Filtering based on binding type
[DBUG] Filtering by site(s) [1]
[VERB] 1 bindings remaining after site filter
[VERB] No host filter applied
[VERB] 1 matching binding found

1: sys.azoom.uk (Site 1)

Continue with this selection? (y*/n) - yes

[DBUG] Scanning IIS bindings for hosts
[VERB] 1 named bindings found in IIS
[DBUG] Filtering based on binding type
[DBUG] Filtering by site(s) [1]
[VERB] 1 bindings remaining after site filter
[VERB] No host filter applied
[VERB] 1 matching binding found
[DBUG] Scanning IIS sites
[INFO] Source generated using plugin IIS: sys.azoom.uk
[VERB] No value provided for --validationport
[VERB] No value provided for --validationprotocol
[VERB] Flag --ocsp-must-staple not present
[VERB] Flag --reuse-privatekey not present
[VERB] No value provided for --certificatestore
[VERB] Flag --keepexisting not present
[VERB] No value provided for --acl-fullcontrol
[VERB] No value provided for --certificatestore
[VERB] No value provided for --sslport
[VERB] No value provided for --sslipaddress

[DBUG] Scanning IIS bindings for hosts
[VERB] 1 named bindings found in IIS
[DBUG] Filtering based on binding type
[DBUG] Filtering by site(s) [1]
[VERB] 1 bindings remaining after site filter
[VERB] No host filter applied
[VERB] 1 matching binding found
[DBUG] Scanning IIS sites
[VERB] Targeted convert into 1 order(s)
[VERB] Checking [IIS] Default Web Site, (any host)
[VERB] Handle order 1/1: Main
[DBUG] Refreshing cached order
[DBUG] Refreshing order...
[VERB] Constructing ACME protocol client...
[VERB] Getting service directory...
[DBUG] Send GET to https://acme-staging-v02.api.letsencrypt.org/directory
[VERB] Request completed with status OK
[DBUG] Loading signer from C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Signer_v2
[DBUG] Loading account from C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Registration_v2
[VERB] Using existing ACME account
[VERB] ACME client initialized
[DBUG] Send HEAD to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce
[VERB] Request completed with status OK
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/order/48486588/2162767888
[VERB] Request completed with status OK
[WARN] Cached order has status invalid, discarding
[VERB] Creating order for hosts: ["DnsName: sys.azoom.uk"]
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/new-order
[VERB] Request completed with status Created
[VERB] Order https://acme-staging-v02.api.letsencrypt.org/acme/order/48486588/2164302968 created
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/2045319258
[VERB] Request completed with status OK
[VERB] Handle authorization 1/1
[INFO] [sys.azoom.uk] Authorizing...
[VERB] [sys.azoom.uk] Initial authorization status: pending
[VERB] [sys.azoom.uk] Challenge types available: ["http-01", "dns-01", "tls-alpn-01"]
[VERB] [sys.azoom.uk] Initial challenge status: pending
[INFO] [sys.azoom.uk] Authorizing using http-01 validation (SelfHosting)
[VERB] Starting commit stage
[VERB] Commit was succesful
[DBUG] [sys.azoom.uk] Submitting challenge answer
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2045319258/KsVrGA
[VERB] Request completed with status OK
[VERB] SelfHosting plugin serving file /.well-known/acme-challenge/3eqjgd_DEjUBPEar4nnwKyEvYVj3-getKH4K8ZeMVR8
[VERB] SelfHosting plugin serving file /.well-known/acme-challenge/3eqjgd_DEjUBPEar4nnwKyEvYVj3-getKH4K8ZeMVR8
[VERB] SelfHosting plugin serving file /.well-known/acme-challenge/3eqjgd_DEjUBPEar4nnwKyEvYVj3-getKH4K8ZeMVR8
[VERB] SelfHosting plugin serving file /.well-known/acme-challenge/3eqjgd_DEjUBPEar4nnwKyEvYVj3-getKH4K8ZeMVR8
[DBUG] Refreshing authorization (1/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2045319258/KsVrGA
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (2/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2045319258/KsVrGA
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (3/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2045319258/KsVrGA
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (4/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2045319258/KsVrGA
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (5/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2045319258/KsVrGA
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (6/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2045319258/KsVrGA
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (7/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2045319258/KsVrGA
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (8/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2045319258/KsVrGA
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (9/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2045319258/KsVrGA
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (10/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2045319258/KsVrGA
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (11/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2045319258/KsVrGA
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (12/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2045319258/KsVrGA
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (13/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2045319258/KsVrGA
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (14/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2045319258/KsVrGA
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (15/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2045319258/KsVrGA
[VERB] Request completed with status OK
[EROR] [sys.azoom.uk] Authorization result: pending
[VERB] Starting post-validation cleanup
[VERB] Post-validation cleanup was succesful

Create certificate failed, retry? (y/n*)

OUTPUT END

Will proceed to #3 to try https://certifytheweb.com

The cool thing about using the (windows) OS level http listeners via http.sys is that they sit in front of IIS (IIS is just another http.sys listener). So the http request comes in and gets passed to the first/most specific listener. WACS and Certify both run temporary listeners to match any http://+:80/well-known/acme-challenge request. I assume WACS frees this up once it's finished validation, Certify does the same.

So basically these http listeners skip the whole problem of having to configure IIS module features to let the request through (redirects, extensionless files, authorization etc) but still allow IIS to otherwise function normally and uninterrupted.

Where it can be a problem is if you use a non-windows native app like apache or nginx, as these usually take exclusive control of port 80 and don't use http.sys at all.

3 Likes

Good to know, thanks for sharing @webprofusion

If that's the case, im a totally noob on windows. How to check any logs whether the socket listener has an error?

1 Like

@webprofusion im down like the bot. Using CTW also fails. Here is the logs:

2022-03-30 11:26:18.335 +03:00 [INF] ---- Beginning Request [Default Web Site] ----
2022-03-30 11:26:18.351 +03:00 [INF] Certify/5.6.7.0 (Windows; Microsoft Windows NT 10.0.17763.0)
2022-03-30 11:26:18.681 +03:00 [INF] Beginning Certificate Request Process: Default Web Site using ACME Provider:Certes
2022-03-30 11:26:18.682 +03:00 [INF] Requested identifiers to include on certificate: sys.azoom.uk
2022-03-30 11:26:18.694 +03:00 [INF] Beginning certificate order for requested domains
2022-03-30 11:26:19.917 +03:00 [INF] BeginCertificateOrder: creating/retrieving order. Retries remaining:2
2022-03-30 11:26:23.305 +03:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/474819290/75796275360
2022-03-30 11:26:24.418 +03:00 [INF] Fetching Authorizations.
2022-03-30 11:26:26.404 +03:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/92940641390/OKxkug
2022-03-30 11:26:27.491 +03:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/92940641390/pZ5I5g
2022-03-30 11:26:28.553 +03:00 [INF] Http Challenge Server process available.
2022-03-30 11:26:28.553 +03:00 [INF] Attempting Domain Validation: sys.azoom.uk
2022-03-30 11:26:28.554 +03:00 [INF] Registering and Validating sys.azoom.uk
2022-03-30 11:26:28.554 +03:00 [INF] Preparing automated challenge responses (sys.azoom.uk)
2022-03-30 11:26:28.572 +03:00 [INF] Preparing challenge response for the issuing Certificate Authority to check at: http://sys.azoom.uk/.well-known/acme-challenge/aQdnrJ-ZsDss9hQqxbsH4ZUlT0ExWiYgbejt3o6acNI with content aQdnrJ-ZsDss9hQqxbsH4ZUlT0ExWiYgbejt3o6acNI.e3VC6W7fcZ6lEBgE7k2cgapFA4APmlsqZlL51kg0ynw
2022-03-30 11:26:28.572 +03:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued.
2022-03-30 11:26:28.608 +03:00 [INF] Using website path C:\inetpub\wwwroot
2022-03-30 11:26:28.620 +03:00 [INF] Checking URL is accessible: http://sys.azoom.uk/.well-known/acme-challenge/aQdnrJ-ZsDss9hQqxbsH4ZUlT0ExWiYgbejt3o6acNI [proxyAPI: True, timeout: 5000ms]
2022-03-30 11:26:29.272 +03:00 [INF] URL is accessible. Check passed.
2022-03-30 11:26:29.273 +03:00 [INF] Requesting Validation: sys.azoom.uk
2022-03-30 11:26:29.309 +03:00 [INF] Attempting Challenge Response Validation for Domain: sys.azoom.uk
2022-03-30 11:26:29.309 +03:00 [INF] Registering and Validating sys.azoom.uk
2022-03-30 11:26:29.310 +03:00 [INF] Checking automated challenge response for Domain: sys.azoom.uk
2022-03-30 11:27:04.016 +03:00 [INF] Domain validation failed: sys.azoom.uk

2022-03-30 11:27:06.579 +03:00 [INF] Validation of the required challenges did not complete successfully. Domain validation failed: sys.azoom.uk

2022-03-30 11:27:06.579 +03:00 [INF] Validation of the required challenges did not complete successfully. Domain validation failed: sys.azoom.uk

2022-03-30 11:27:06.579 +03:00 [INF] Validation of the required challenges did not complete successfully. Domain validation failed: sys.azoom.uk

Want to check if the region time settings in the OS doesn't match based on physical location of the webserver frontend, will it be a problem? This is because the user of the server is about halfway around the world

That's not a problem for this step. So the log is saying that the test Certify The Web does (proxyAPI: True) tried the connection via the Certify The Web api and it passed, then when Let's Encrypt tried it failed.

I'm 99.9% sure something on your network between Let's Encrypt and your server is blocking Let's Encrypt http request, mostly likely based on their IP address. I'd wager that if you tried a different certificate authority (who would also be validating from different IPs) that it would all work. Certificate Authorities | Certify The Web Docs

2 Likes

Hei, i ran the Certify again and let it ran overnight. These are the logs:

#############START OF LINE#############

2022-03-30 12:25:02.889 +03:00 [INF] All Tests Completed OK
2022-03-30 12:25:07.985 +03:00 [INF] ---- Beginning Request [sys.azoom.uk] ----
2022-03-30 12:25:07.985 +03:00 [INF] Certify/5.6.7.0 (Windows; Microsoft Windows NT 10.0.17763.0)
2022-03-30 12:25:07.987 +03:00 [ERR] Failed to match ACME account for managed certificate. Cannot continue request. :: sys.azoom.uk CA: letsencrypt.org [Staging Mode]
2022-03-30 12:25:07.987 +03:00 [INF] There is no matching ACME account for the currently selected Certificate Authority. Check you have added a Staging account for the CA under the app Settings.
2022-03-30 12:25:08.001 +03:00 [ERR] Failed to match ACME account for managed certificate. Cannot continue request. :: sys.azoom.uk CA: letsencrypt.org [Staging Mode]
2022-03-30 12:25:08.542 +03:00 [INF] There is no matching ACME account for the currently selected Certificate Authority. Check you have added a Staging account for the CA under the app Settings.
2022-03-30 12:25:08.562 +03:00 [ERR] Failed to match ACME account for managed certificate. Cannot continue request. :: sys.azoom.uk CA: letsencrypt.org [Staging Mode]
2022-03-30 12:25:52.399 +03:00 [INF] [Preview Mode] Completed certificate request and automated bindings update (IIS)
2022-03-30 12:26:23.688 +03:00 [INF] ---- Beginning Request [sys.azoom.uk] ----
2022-03-30 12:26:23.688 +03:00 [INF] Certify/5.6.7.0 (Windows; Microsoft Windows NT 10.0.17763.0)
2022-03-30 12:26:23.691 +03:00 [ERR] Failed to match ACME account for managed certificate. Cannot continue request. :: sys.azoom.uk CA: letsencrypt.org [Staging Mode]
2022-03-30 12:26:23.692 +03:00 [INF] There is no matching ACME account for the currently selected Certificate Authority. Check you have added a Staging account for the CA under the app Settings.
2022-03-30 12:26:23.707 +03:00 [ERR] Failed to match ACME account for managed certificate. Cannot continue request. :: sys.azoom.uk CA: letsencrypt.org [Staging Mode]
2022-03-30 12:26:24.113 +03:00 [INF] ---- Beginning Request [sys.azoom.uk] ----
2022-03-30 12:26:24.113 +03:00 [INF] Certify/5.6.7.0 (Windows; Microsoft Windows NT 10.0.17763.0)
2022-03-30 12:26:24.117 +03:00 [ERR] Failed to match ACME account for managed certificate. Cannot continue request. :: sys.azoom.uk CA: letsencrypt.org [Staging Mode]
2022-03-30 12:26:24.118 +03:00 [INF] There is no matching ACME account for the currently selected Certificate Authority. Check you have added a Staging account for the CA under the app Settings.
2022-03-30 12:26:24.165 +03:00 [ERR] Failed to match ACME account for managed certificate. Cannot continue request. :: sys.azoom.uk CA: letsencrypt.org [Staging Mode]
2022-03-30 12:26:24.567 +03:00 [INF] There is no matching ACME account for the currently selected Certificate Authority. Check you have added a Staging account for the CA under the app Settings.
2022-03-30 12:26:24.584 +03:00 [ERR] Failed to match ACME account for managed certificate. Cannot continue request. :: sys.azoom.uk CA: letsencrypt.org [Staging Mode]
2022-03-30 12:26:24.841 +03:00 [INF] There is no matching ACME account for the currently selected Certificate Authority. Check you have added a Staging account for the CA under the app Settings.
2022-03-30 12:26:24.862 +03:00 [ERR] Failed to match ACME account for managed certificate. Cannot continue request. :: sys.azoom.uk CA: letsencrypt.org [Staging Mode]
2022-03-31 07:28:13.892 +03:00 [INF] ---- Beginning Request [sys.azoom.uk] ----
2022-03-31 07:28:13.924 +03:00 [INF] Certify/5.6.7.0 (Windows; Microsoft Windows NT 10.0.17763.0)
2022-03-31 07:28:13.939 +03:00 [ERR] Failed to match ACME account for managed certificate. Cannot continue request. :: sys.azoom.uk CA: letsencrypt.org [Staging Mode]
2022-03-31 07:28:13.939 +03:00 [INF] There is no matching ACME account for the currently selected Certificate Authority. Check you have added a Staging account for the CA under the app Settings.
2022-03-31 07:28:14.142 +03:00 [ERR] Failed to match ACME account for managed certificate. Cannot continue request. :: sys.azoom.uk CA: letsencrypt.org [Staging Mode]
2022-03-31 07:28:14.814 +03:00 [INF] There is no matching ACME account for the currently selected Certificate Authority. Check you have added a Staging account for the CA under the app Settings.
2022-03-31 07:28:14.830 +03:00 [ERR] Failed to match ACME account for managed certificate. Cannot continue request. :: sys.azoom.uk CA: letsencrypt.org [Staging Mode]
2022-03-31 08:28:08.324 +03:00 [INF] Previous renewals failed: 6. Renewal will be attempted within 48hrs.
2022-03-31 09:28:08.346 +03:00 [INF] Previous renewals failed: 6. Renewal will be attempted within 48hrs.

#############END OF LINE#############