Failure of Cert via Latest version of Win-Acme

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://minterrors.org

I ran this command: Win-Acme.exe automated script generation

It produced this output:

My web server is (include version): IIS

The operating system my web server runs on is (include version): Win Server 2022

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hello,

I am running into an issue while using Win-Acme to renew a cert.The failure is listed below.

I DID see that utilizing a firewall and Geo-blocking countries will cause issues. I DO have a few countries blocked. If I know which ones I should unblock and run the update and then block them again OR, there was something mentioned about a DNS setting that may be able to correct the issue.

Any assistance would be greatly appreciated.

A simple Windows ACMEv2 client (WACS)
Software version 2.2.8.1635 (release, pluggable, standalone, 64-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...
Connection OK!
Scheduled task points to different location for .exe and/or working directory
Scheduled task exists but does not look healthy
Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)

N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (1 currently due)
A: Manage renewals (1 total, 1 in error)
O: More options...
Q: Quit

Please choose from the menu: r

Plugin IIS generated source minterrors.org with 1 identifiers
Plugin Single created 1 order
Renewing [IIS] minterrors, (any host)
Cached order has status invalid, discarding
[minterrors.org] Authorizing...
[minterrors.org] Authorizing using http-01 validation (SelfHosting)
[minterrors.org] Authorization result: invalid
[minterrors.org] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"During secondary validation: 96.225.177.48: Invalid response from http://minterrors.org/.well-known/acme-challenge/wt_gs6fcD6nci9xDzLlxsvaTOMUo_Ar1NPjAWN9Hapg: 403","status":403,"instance":null}
[minterrors.org] Deactivating pending authorization
Renewal for [IIS] minterrors, (any host) failed, will retry on next run
Validation failed
No certificate generated

N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (1 currently due)
A: Manage renewals (1 total, 1 in error)
O: More options...
Q: Quit

Please choose from the menu:

Hello @minterrors, welcome to the Let's Encrypt community.

From around the world Permanent link to this check report there mostly Results of "Connection timed out"

Let's Encrypt uses Multi-Perspective Validation Improves Domain Validation Security - Let's Encrypt

This looks like a reputation based firewall blocking requests. It would not affect just Let's Encrypt. I can't query your "home" page using HTTP from my own test server in the USA

curl -i http://minterrors.org/

HTTP/1.1 403 Forbidden
<HTML><HEAD><TITLE>403 Forbidden</TITLE></HEAD><BODY><center>
<b>Threat Prevention</b></center>
<p>This site is blocked because it violates network policy.</p>
<p>Host: minterrors.org</p>
<p>URI: /</p>
<p>Reason: Threat reputation No reputation</p>
<p>Please contact your network administrator</p></BODY></HTML>

Can you make a rule that allows any URI that starts with /.well-known/acme-challenge

Also using the online tool Let's Debug yields these results https://letsdebug.net/minterrors.org/1937254

ANotWorking
ERROR
minterrors.org has an A (IPv4) record (96.225.177.48) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
A timeout was experienced while communicating with minterrors.org/96.225.177.48: Get "http://minterrors.org/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://minterrors.org/.well-known/acme-challenge/letsdebug-test (using initial IP 96.225.177.48)
@0ms: Dialing 96.225.177.48
@10000ms: Experienced error: context deadline exceeded

Best Practice - Keep Port 80 Open

The HTTP-01 challenge of the Challenge Types - Let's Encrypt states
"The HTTP-01 challenge can only be done on port 80."

Thanks for the welcome and quick replies.

I have disabled the geo blocks for Singapore I do not believe Swededn was blocked.

Now, I have to wait for a bit to test, since win-acme is reporting "too many requests".

I will go into the IIS server and add a port 80 URL path to minterrors.org as well. I don't believe port 80 is blocked via the firewall. I will double check though

Please bear with me as I navigate through all of this.

Something blocked my HTTP request because of "Threat Reputation". You may not be blocking all of port 80 but something is blocking at least some requests.

Mike,
Thanks for the reply. I am one who is very humble and appreciate the assistance. This stuff can become overwhelming for me at times.

What I recently did was add the http:// url into IIS. I did browse the website via IIS and the
http://minterrors.org connection worked. I did stop and start IIS. Then I tried win-acme again and it failed, it did have the 403 error again.

Later on tonight, I will attempt to bypass the firewall and see if I can renew the cert. IF so, then we know the problem. I will look at the router as well and ensure the router has port 80 open and forwarding to the web server.

I will try to update this post as much as I can with what I have attempted. Thanks again for everyone chiming in.

Consider whether switching to DNS Validation instead of HTTP challenges will be more suitable for you. win-acme has a few plugins you can use for different DNS providers, https://certifytheweb.com (which I develop) has a few more I think (many via Posh-ACME, which you could also use) but it depends on your choice of DNS provider as to whether they have a supported API.

There are a few other alternative approaches to DNS validation as well if you want to explore that option.

I have successfully updated the Let's Encrypt certificate for the website https://minterrors.org.

I am using a inline firewall meant to protect the web server from abusive scans and attacks. I disabled as many rules as I thought would make a difference, but the attempts at update failed. One of my last resorts (if you will) was to bypass the firewall and plug the web server directly into the router. I quickly ran the Win-Acme application then successfully updated.

I DO have a lot of IP blocks within the router as well, but I have not touched those and wanted to see if it was the IPS/ firewall first before moving forward.

As for switching to a DNS validation, I only have a web server here and my ISP is Verizon. My DNS goes through Network Solutions. I will download the documentation that you all have provided and see if this is a possibility for me. I am open to any further suggestions or comments.

I would like to personally thank all who who have replied:

[MikeMcQ]

[Bruce5051]

[webprofusion]

If you proceed with DNS Challenge you should switch to a different provider. Cloudflare is popular, easy to use, and free for many cases. They also have a terrific community and many of us here are familiar with it.

Good work getting that all sorted. I know it can be frustrating. Ideally you could make a rule that allowed HTTP(port 80) requests from anywhere that start with /.well-known/acme-challenge/

Mike, Unfortunately I have 3.5 more years with the webhosting/email boxes/domain names/DNS over at Network Solutions. I don't mind bypassing the firewall once every three months. I used to work as a network security engineer for over 20 years but I am getting a bit rusty since retirement.

Again, Thank You for the suggestion(s).

Something to consider is to just CNAME the _acme-challenge.(domain) to a different provider. That's the record used in the DNS Challenge. It is often a TXT record but can be CNAME. See: DNS Challenges

You can even run your own DNS Server just to handle these challenges (see below)

I suggest not renewing just every 90 days. Give enough time to handle outages and unanticipated changes that may require special attention. The recommendation is to renew every 60 days for a 90 day cert. There can also be CA driven revocations (which are rare) but is one reason auto-renewal checking at least once / day is considered best practice.