our SSL for our RDS server is about to expire, and the renew option is no longer working within the WACS application.
I have tried now to re-create the SSL certificate in order to start over and get the renewal option back functional, however the creation process is failing over and over. I have tried many times to create the cert with no luck. I have checked and re-checked everything and I am not sure as to why it is failing.
The error I am getting is a 403 error. I know that this is supposed to be a permission issue, however everything seems to be working. I can see the check file being created (temporarily) during the validation process and yes it gets removed as quick as it is created as it fails to validate.
I am not sure as to why it is stating that the Cached order has a status "Invalid", discarding....... Is this my issue to start off with?
Your server is rejecting requests to the acme challenge URL with an http 403 Forbidden error. The body of the page in the error includes this
This site has been blocked by the network administrator.
Block reason: Gateway GEO-IP Filter Alert
IP address: xx.xx.x.x
Connection initiated from country: United States
The above was a result from my test from an AWS region on the US East Coast.
Do you have a geographic based filter in your firewall? The Let's Encrypt servers will be making requests from various points around the world (the US and Germany at the moment but this can change)
We have adjusted the firewall and received a different error code of 500.
We have removed our filter completely now and are going to try it once more as soon as my lock out releases. too many failed attempts..
At least this is some progress
I have tested once again after we have removed all geo-blocking and I am still getting the same error as previously posted.
I have seen the post which MikeMcQ has replied with stating the 500 Internal Server Error.
Does anyone have an idea as to why I am getting this error? we have not changed anything and the renewal service was working without issue for the longest time. We are not sure as to why it no longer showed any renewal, and now we are stuck with trying to re-create the certificate and get it back on the renewal cycle.
We are using the Windows WACS.exe plugin to facilitate this process.
You're using filesystem validation (which needs to serve the http challenge response via your system web server), if you can use the self-hosting win-acme option this will instead use a temporary http listener to answer the http challenge, this will work a lot better as it doesn't need to mess with your application web.config etc (it sits before IIS in the http request pipeline).
[Also make sure you are on the latest version of the app]