Error renewing Exchange SAN certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dept-info.crosemont.quebec

I ran this command: See below

It produced this output: See below

My web server is IIS : (10.0.14393.0)

The operating system my web server runs on is : Windows Server 2016 Datacenter

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): win-acme version 2.1.7.807 (RELEASE, PLUGGABLE)

Here is the method I used and the output :

Scheduled task not configured yet
Please report issues at https://github.com/win-acme/win-acme

N: Create renewal (default settings)
M: Create renewal (full options)
R: Run renewals (0 currently due)
A: Manage renewals (0 total)
O: More options…
Q: Quit

Please choose from the menu: m

Running in mode: Interactive, Advanced

Please specify how the list of domain names that will be included in the
certificate should be determined. If you choose for one of the “all bindings”
options, the list will automatically be updated for future renewals to
reflect the bindings at that time.

1: IIS
2: Manual input
3: CSR created by another program
C: Abort

How shall we determine the domain(s) to include in the certificate?: 2

Enter comma-separated list of host names, starting with the common name: owa.dept-info.crosemont.quebec,autodiscover.dept-info.crosemont.quebec,smtp.dept-info.crosemont.quebec

Target generated using plugin Manual: owa.dept-info.crosemont.quebec and 2 alternatives

Suggested friendly name ‘[Manual] owa.dept-info.crosemont.quebec’, press to accept or type an alternative:

The ACME server will need to verify that you are the owner of the domain
names that you are requesting the certificate for. This happens both during
initial setup and for every future renewal. There are two main methods of
doing so: answering specific http requests (http-01) or create specific dns
records (dns-01). For wildcard domains the latter is the only option. Various
additional plugins are available from https://github.com/win-acme/win-acme/.

1: [http-01] Save verification files on (network) path
2: [http-01] Serve verification files from memory
3: [http-01] Upload verification files via FTP(S)
4: [http-01] Upload verification files via SSH-FTP
5: [http-01] Upload verification files via WebDav
6: [dns-01] Create verification records manually (auto-renew not possible)
7: [dns-01] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
8: [dns-01] Create verification records with your own script
9: [tls-alpn-01] Answer TLS verification request from win-acme
C: Abort

How would you like prove ownership for the domain(s)?: 2

After ownership of the domain(s) has been proven, we will create a
Certificate Signing Request (CSR) to obtain the actual certificate. The CSR
determines properties of the certificate like which (type of) key to use. If
you are not sure what to pick here, RSA is the safe default.

1: Elliptic Curve key
2: RSA key
C: Abort

What kind of private key should be used for the certificate?: 2

When we have the certificate, you can store in one or more ways to make it
accessible to your applications. The Windows Certificate Store is the default
location for IIS (unless you are managing a cluster of them).

1: IIS Central Certificate Store (.pfx per domain)
2: PEM encoded files (Apache, nginx, etc.)
3: Windows Certificate Store
4: No (additional) store steps

How would you like to store the certificate?: 3

1: IIS Central Certificate Store (.pfx per domain)
2: PEM encoded files (Apache, nginx, etc.)
3: No (additional) store steps

Would you like to store it in another way too?: 3

With the certificate saved to the store(s) of your choice, you may choose one
or more steps to update your applications, e.g. to configure the new
thumbprint, or to update bindings.

1: Create or update https bindings in IIS
2: Create or update ftps bindings in IIS
3: Start external script or program
4: No (additional) installation steps

Which installation step should run first?: 3

Full instructions: https://www.win-acme.com/reference/plugins/installation/script

Enter the path to the script that you want to run after renewal: ./Scripts/ImportExchange.ps1

{CertCommonName}: Common name (primary domain name)
{CachePassword}: .pfx password
{CacheFile}: .pfx full path
{CertFriendlyName}: Certificate friendly name
{CertThumbprint}: Certificate thumbprint
{StoreType}: Type of store (CentralSsl/CertificateStore/PemFiles)
{StorePath}: Path to the store
{RenewalId}: Renewal identifier

Enter the parameter format string for the script, e.g. “–hostname {CertCommonName}”: ‘{CertThumbprint}’ ‘IIS,SMTP,IMAP,POP’ 1 ‘{CacheFile}’ ‘{CachePassword}’ ‘{CertFriendlyName}’

1: Create or update https bindings in IIS
2: Create or update ftps bindings in IIS
3: No (additional) installation steps

Add another installation step?: 3

Authorize identifier autodiscover.dept-info.crosemont.quebec
Authorizing autodiscover.dept-info.crosemont.quebec using http-01 validation (SelfHosting)
{
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://autodiscover.dept-info.crosemont.quebec/.well-known/acme-challenge/ujKxKrYX1JpWn8Lvesbxpuvq3xnjsDMY0OdiFaeUVoI: Timeout during connect (likely firewall problem)”,
“status”: 400
}
Authorization result: invalid
Authorize identifier owa.dept-info.crosemont.quebec
Authorizing owa.dept-info.crosemont.quebec using http-01 validation (SelfHosting)
{
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://owa.dept-info.crosemont.quebec/.well-known/acme-challenge/Zwzo1JP70MgW6y9duWtR16XsRrpich4ZQwkou3sF7Ts: Timeout during connect (likely firewall problem)”,
“status”: 400
}
Authorization result: invalid
Authorize identifier smtp.dept-info.crosemont.quebec
Authorizing smtp.dept-info.crosemont.quebec using http-01 validation (SelfHosting)
{
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://smtp.dept-info.crosemont.quebec/.well-known/acme-challenge/3Dkb180R78YAHA6yHU4lOfcTjn23s7Ma5X_qPejuk3c: Timeout during connect (likely firewall problem)”,
“status”: 400
}
Authorization result: invalid

Other information : I can HTTP on owa.dept-info.crosemont.quebec, but not on autodiscover and smtp. Should those be alos working ?

Thank you for any help given.

1 Like

Hi @g.lacoursiere

if you want to use http validation, a working port 80 is required.

And I can’t load http://owa.dept-info.crosemont.quebec - see https://check-your-website.server-daten.de/?q=owa.dept-info.crosemont.quebec

There is an older check, three days old. There http had worked.

1 Like

Thank you for your fast response, it is much appreciated, so I will check on this “No HTTP response”.

But you mention “If you want to use http validation”, does this mean that I could use another method for validation, and if so, what would be the best way ?

Thank you.

1 Like

Hello,

Thank you so much for helping me on this one. You gave me the last push I needed to find the problem.

One Nating rule in our Palo-Alto NGFW that did not include port 80, and another Security rule that did not include the right service name. I had put http-port instead of web-browsing.

So now that http passes, I was able to renew our certificate.

Have a good day and continue your good job helping poor “not always on the right track technicians”

2 Likes

Ah, these are very special configurations. Happy to read you have found these :+1:

You can use dns validation. But that requires to create a TXT entry in your dns management. So your DNS provider should have an API to automate that and you must have a client that supports that API.

Normally, http validation is the easiest solution because you don’t need to update your DNS configuration.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.