Having to Re-Create SSL Cert using WACS is failing

our SSL for our RDS server is about to expire, and the renew option is no longer working within the WACS application.

I have tried now to re-create the SSL certificate in order to start over and get the renewal option back functional, however the creation process is failing over and over. I have tried many times to create the cert with no luck. I have checked and re-checked everything and I am not sure as to why it is failing.

The error I am getting is a 403 error. I know that this is supposed to be a permission issue, however everything seems to be working. I can see the check file being created (temporarily) during the validation process and yes it gets removed as quick as it is created as it fails to validate.

I am not sure as to why it is stating that the Cached order has a status "Invalid", discarding....... Is this my issue to start off with?

I could use some assistance on this issue!!!

Your server is rejecting requests to the acme challenge URL with an http 403 Forbidden error. The body of the page in the error includes this

This site has been blocked by the network administrator.

Block reason: Gateway GEO-IP Filter Alert

IP address: xx.xx.x.x

Connection initiated from country: United States

The above was a result from my test from an AWS region on the US East Coast.

Do you have a geographic based filter in your firewall? The Let's Encrypt servers will be making requests from various points around the world (the US and Germany at the moment but this can change)

Not just for the ACME challenge: the entire website is geo-blocked, also from The Netherlands.

We have adjusted the firewall and received a different error code of 500.

We have removed our filter completely now and are going to try it once more as soon as my lock out releases. too many failed attempts..
At least this is some progress

Yeah, the http 500 is not related to "too many attempts". Right now this test fails:

curl -i rds.evansonline.com/.well-known/acme-challenge/ForumTest123

HTTP/1.1 500 Internal Server Error
Content-Type: text/html
Server: Microsoft-IIS/8.5
Date: Wed, 25 May 2022 20:41:42 GMT
Content-Length: 75

Please use the staging environment for debugging issues such as this to prevent rate limits.

Could you explain how I would go about doing this in the staging environment? using wacs.exe?

I have tested once again after we have removed all geo-blocking and I am still getting the same error as previously posted.

I have seen the post which MikeMcQ has replied with stating the 500 Internal Server Error.

Does anyone have an idea as to why I am getting this error? we have not changed anything and the renewal service was working without issue for the longest time. We are not sure as to why it no longer showed any renewal, and now we are stuck with trying to re-create the certificate and get it back on the renewal cycle.

We are using the Windows WACS.exe plugin to facilitate this process.

Is there a WACS specific help channel?

I am not sure. If you find one, please let me know

Regards,
Glen Lukye

You're using filesystem validation (which needs to serve the http challenge response via your system web server), if you can use the self-hosting win-acme option this will instead use a temporary http listener to answer the http challenge, this will work a lot better as it doesn't need to mess with your application web.config etc (it sits before IIS in the http request pipeline).

[Also make sure you are on the latest version of the app]

I'm afraid not. I don't use Windows.

The manual is your friend. You use the --test argument on the command line

Thank you all for your assistance.

After trying the exact same thing this morning and I did use the --test environment, I was able to successfully re-create my SSL cert.

I do thank you all for your inputs.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.