Generating a certificate suddenly stopped working

Hi all,
I have been generating certificates using Wincertes and Lets Encrypt for quite some time (on this server) without issue, however when I went to use it today (I run a batch file) it seems to timeout and fail after a few minutes.
It's like it can't reach the Lets Encrypt server, or doesn't receive the response.
I run the command "as administrator".
I've turned off the windows firewall.
I deleted my existing credentials in the registry, however now I get a "failed to register account ..." error.
I don't believe I have changed anything on the server since the last time I generated a certificate.

Does anyone have any suggestions.

Thanks.

Vernon.

My domain is: farmxl.com.au, farmxl.net

I ran this command: WinCertes.exe -e admin@farmxl.com.au -d www.farmxl.net -d farmxl.net -d www.farmxl.com.au -d farmxl.com.au -b "farmxl.com.au" -w"C:\inetpub\wwwroot\farmxl.com.au"

It produced this output: Failed to register account admin@farmxl.com.au with certificate authority https://acme-v02.api.letsencrypt.org/directory: A task was canceled.
Could not register ACME service account

My web server is (include version): IIS 10.0.17763.1

The operating system my web server runs on is (include version): Windows Server 2019

My hosting provider, if applicable, is: AWS EC2

I can login to a root shell on my machine (yes or no, or I don't know): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Wincertes 1.4.3

It does seem that way. Can you open https://acme-v02.api.letsencrypt.org/directory in a browser on that server right now?

There was an outage earlier today (Let's Encrypt Status), but it should be all OK now.

Thanks _az.

This is what I got when I pasted the link into Chrome on the server ...

{
"dmQgJygQTtw": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}

That looks normal.

And Certes is still producing that error when you try register an account right now?

Running it again ... waiting for the timeout

Yep same error again.
This is very weird. I'm guessing it's probably something simple, but for the life of me can't figure out what it is.
What ports need to be open? Just 80 and 443?

Yeah, to register an account, WinCertes.exe needs outbound port 443 access.

It's a bit unfortunate that the error from WinCertes doesn't distinguish between being unable to fetch that directory URL, and being unable to actually submit the registration request.

I would blame Windows Firewall but you say that it's off so .

Outbound I am completely open (on AWS) -

image836×253 9.75 KB

Inbound I have both 443 and 80 open -

image832×338 15.4 KB

Are you using any kind of proxy for internet access? The 'a task was cancelled' bit just means that the operation timed out, so I'd guess that takes about 20 seconds to happen. Your test in chrome indicates you can get to the API just fine, so unless you have a specific windows firewall rule for wincertes I think you might need to just to restart the machine.

No proxy for internet access.
I will try a restart.

A restart did it.
Bloody Windows!

Thanks _az and webprofusion for the help. Much appreciated.

Cool! I've had that happen with Windows Firewall before as well.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.