Error creating ssl certificate with wacs.exe, windows server 2019


I created a website on windows server 2019 and I would like to get a ssl certificate for my website
My website is a local website that people can access if there are connected to the local network.

Server: RadiusATC.wifi-atc.lan


I got this error with wacs.exe (win-acme.v2.2.3.1475.x64.pluggable)

Source generated using plugin IIS:

Plugin IIS generated source with 1 identifiers
Plugin Single created 1 order
Cached order has status invalid, discarding
[] Authorizing...
[] Authorizing using http-01 validation (SelfHosting)
[] Authorization result: invalid
[] {"type":"urn:ietf:params:acme:error:unauthorized","detail":" Invalid response from \u0022\u003Chtml xml:lang=\\u0022fr-FR\\u0022 lang=\\u0022fr-FR\\u0022\u003E\n\u003Chead\u003E\n\u003Ctitle qtlid=\\u002228806\\u0022\u003EF\u00E9licitations ! Votre domaine a bien \u00E9t\u00E9 cr\u00E9\u00E9 chez OVHclou\u0022","status":403,"instance":null}
[] Deactivating pending authorization

Welcome to the community @quentin1

The problem is your domain is redirecting the HTTP Challenge from the Let's Encrypt Server to your home page.

It is OK to redirect the original request. But, the result of following the redirects must eventually be the challenge token created by wacs. Because you redirect to your home page that value is not being returned.

curl -I

HTTP/1.1 302 Moved Temporarily
server: nginx

Try the self-hosting option: win-acme that will sit in front of IIS in the http pipeline, avoiding issues with IIS config.


Hi @webprofusion,

Thank you for your answer.
I use this command to run win-acme but I still have the issue
.\wacs.exe --validation SelfHosting

1 Like

Thanks I didn't notice your server was nginx as @MikeMcQ mentioned. This is very different from IIS and wacs is designed for IIS, so instead you need to serve the http challenge yourself and I'd expect that would be easites using certbot with with it's built in nginx support.

The problem with nginx on Windows is it will not share http on port 80 like IIS can, so instead it will steal the port for itself and then the self-hosting wacs option won't work.

You can use the filesystem option (hosting the http challenge response on your nginx website) or just use DNS validation instead.

If you want to try DNS validation, on Windows you can use (which I develop) as it supports a whole bunch of DNS APIs, including your provider OVH.


Thanks for your answer but I'm created my website on the IIS platform of windows server 2019.
Do I need to realise the DNS validation to get my ssl certificate to be able to have HTTPS on my webside ?

1 Like

If that's the case, then why is there a nginx webserver responding on

Note that Let's Encrypt will always need to validate your hostname from the public internet. So whatever is running on, if that's different than what's running on (the public IP address of your hostname) then there's going to be a problem.


If you use IIS on port 80, then no; You won't need to use DNS validation.
If you are using nginx and IIS on same port, then you will have problems.


My website is running locally on my windows server 2019 and only the people who are in the forest of my windows server can have access to it.

Please read:

So if Let's Encrypt can't connect to your webserver using port 80 (the http-01 challenge using, well, HTTP), you'd need to use the DNS challenge (dns-01).


Ok I will try to validate my website with the DNS challenge. Thank you for your help

1 Like

This sounds like you have an Active Directory domain/forest.
If so, you should be able to issue a cert from your domain CA.


I try to create a certificate with my domain CA but I got an errors from my browser (your connection is not private)

I would like to avoid to have that message

Is your PC domain joined?
Does the URL contain an FQDN that is covered by the Windows CA provided cert?
Is the server using the Windows CA provided cert?


What does that mean?


I installed Certification Authority and Certification Authority Web Enrollment
in IIS, I created a certificate request
I went on http://localhost/certsrv to submit my certificate request
Afterwards, in server certificates, I completed certificate request with the certificate that I got from http://localhost/certsrv
I use the certificate that I just created in my server certificates on my website

It means...
You know little of the Windows World - lol
Windows domains comes with a local domain CA.
All systems joined to that Active Directory [AD] will implicitly trust that domain CA [and all certs issued by it].


Ah, IC.

Let's keep it that way! Osiris signing off out of this thread :wink:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.