IIS win-acme Unable to renew cert. Gives error with .well-known/acme-challenge

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: remindo.net

I ran this command: Tried to renew via WinAcme.exe

It produced this output:
Plugin IIS generated source remindo.net with 2 identifiers
Plugin Single created 1 order
Source change in order Main detected
Renewing [IIS] Remindo.net, (any host)
Cached order has status invalid, discarding
[remindo.net] Authorizing...
[remindo.net] Authorizing using http-01 validation (SelfHosting)
[remindo.net] Authorization result: invalid
[remindo.net] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"66.96.163.128: Invalid response from https://remindo.net/.well-known/acme-challenge/KSPb5l49u-JtEE8wLvBMzXEkPIJxXZXUz85dPBDvZkg: 404","status":403,"instance":null}
[remindo.net] Deactivating pending authorization
[www.remindo.net] Deactivating pending authorization
Renewal for [IIS] Remindo.net, (any host) failed, will retry on next run
Validation failed
No certificate generated

My web server is (include version): IIS

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: 10.0.17763.1

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): WinAcme with a EXE date of 5/22/2024

I used LetsDebug and it said it saw no problems. I would not be opposed to starting over from scratch with this certificate if that would be easier. This site is not really in use just yet. Just not totally sure the best way to go about that.

It could be the wrong machine responding? The error says that the domain resolved to the IP 66.96.163.128 but when I check your domain it resolves to 74.91.112.238.

When I browse to the domain it has a certificate that should be for lociapp.com which in turn also resolves to a different IP 74.91.127.170.

So the first thing I'd check is that your domain is pointing to the correct IP.

win-acme has been superseded by simple-acme to some extent (the maintainer has moved to that project), but during validation it runs it's own challenge response http service alongside IIS, and that should be working normally.

I changed my DNS records earlier. Propagation is a bit sketchy, of course. Anyway when I ping it, I get . . .

Pinging remindo.net [74.91.112.238] with 32 bytes of data:
Reply from 74.91.112.238: bytes=32 time=26ms TTL=116
Reply from 74.91.112.238: bytes=32 time=32ms TTL=116
Reply from 74.91.112.238: bytes=32 time=31ms TTL=116
Reply from 74.91.112.238: bytes=32 time=27ms TTL=116

Perhaps starting over with simple-acme is the thing to do now. I don't think I can just change that IP in the renewal.

Looked at simple-acme. The site says it's signed. Windows says it's not. Seems sketchy. Guess I'll stick with Win-Acme for now. (And it installs WACS.EXE, anyway, which is confusing.)

Ah yes I see the signing issue, probably just a build glitch. Yes by all means stick with win-acme if it's otherwise working.

I develop Certify The Web (which is a different certificate management tool for windows etc) so I'm not going to try to convince you of the merits of simple-acme, except to say it's more up to date than win-acme

Regarding your validation issue, if you try again perhaps it will complete ok as long as it see the new IP.

Yes, I made a mistake uploading the unsigned versions during the release of the last build. Scripts have been adjusted to catch this in the future