Let's Encrypt with 4th Level Domains on Windows IIS

Please fill out the fields below so we can help you better.

My domain is:zsqd.chnl.zj.chinamobile.com

I ran this command:from sslforfree.com,http manual verification

It produced this output:Domain “zsqd.chnl.zj.chinamobile.com” challenge3 timed out after 15 seconds. Try regenerating your account once by going back and clicking “Regenerate Account” near the top center. If that does not work then please try a different verification method (HTTP if using DNS or vice versa) or try again later. Last response from “https://acme-v01.api.letsencrypt.org/acme/challenge/dt9waiKFox-xAb5UCbNemBfbxGaHN5tFmxLLbKGB3Lw/1615426023” was { “type”: “http-01”, “status”: “pending”, “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/dt9waiKFox-xAb5UCbNemBfbxGaHN5tFmxLLbKGB3Lw/1615426023”, “token”: “4ZKLPa-jMl00t438nA59RYmcAu-hpwigVeH5U3H91wQ”, “keyAuthorization”: “4ZKLPa-jMl00t438nA59RYmcAu-hpwigVeH5U3H91wQ.pb0XbbZFjOSMS7843CpisNzT8Ux_dlO1cw47ooPZeLc” }

My web server is (include version):iis

The operating system my web server runs on is (include version):windows 2008

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes,administrator

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Yes, Let’s Encrypt supports subdomains of any depth.

hi @fengzd

Is there a particular reason why you have chosen to go with sslforfree.com?

There are plenty of good windows clients


I would have thought using one of these on your IIS server would make more sense?

I would try Certify first as it has a GUI and is pretty intutive


hi @fengzd

Also review the message from your error


I believe your providers DNS servers do not respond to CAA queries. This is needed for Let’s Encrypt so this needs to be fixed if it doesn’t get fixed you will not be able to use any Certificate Authorities.

From September 2017 every certificate MUST CHECK for CAA records so your providers need to answer these.


I have used letsencrypt-win-simple too,and got the same result.
My old domain and old web server qd.zs139.com,also the DNS server don’t repond to CAA queries,But it can pass the verification.
There is a Reverse Proxy between my new web server and internet, does it metter?

The DNS server doesn't need to return a CAA record, it just needs to not return an error. In the case for the nameservers for zs139.com, they just return an empty answer with "NOERROR".

For the zj.chinamobile.com zone, the server returns a SERVFAIL, which is a problem for the lookup.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.