Letsencrypt cert renewal timeout in Azure VM

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: alea.gov, the cert I’m trying to renew is aleagis.usgovvirginia.cloudapp.usgovcloudapi.net

I ran this command: wacs,exe (from elevated command prompt.

It produced this output: [EROR] Authorization timed out
[EROR] Renewal for aleagis.usgovvirginia.cloudapp.usgovcloudapi.net failed, will retry on next run

My web server is (include version): IIS 10.0.14393.0

The operating system my web server runs on is (include version): Windows Server 2016 V 1607

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): using win-acme.v2.0.5.246

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): v2.0.5.246

When I try to run the renewal or auto-renewal I get a timeout. In the NSG of Azure for the VM that hosts the website I created a rule with the following entries:
Source: IP Addresses
Source IP addresses/CIDR ranges: 23.1.49.120,96.7.28.203,104.74.7.249,104.79.9.215 (found by pinging, nslookup, etc.)
Source port ranges: *
Destination: IP Addresses
Destination IP Addresses/CIDR ranges: 10.10.10.0/24 (not real, but the server is in the range that is real.)
Destination port ranges: 80,443
Priority: 1040

With this rule in place the cert will not renew. I’ve tried different things to get it to renew. There are three higher priority rules, but none that should impact the renewal, one is allowing http/80, one is https/443, one is RDP/3389.
If I create a higher priority rule, in the 100s, and have it completely wide open, blocking nothing, then the cert will renew. Of course I don’t want to do that for long. I need to find settings for the rule so that it auto-renew.
Can someone assist me?
Thanks!

Hi @rdover

I see, you have already checked your domain via https://check-your-website.server-daten.de/?q=aleagis.usgovvirginia.cloudapp.usgovcloudapi.net

That looks good, but your certificate is old.

CN=aleagis.usgovvirginia.cloudapp.usgovcloudapi.net
	07.02.2019
	08.05.2019
expires in 33 days	aleagis.usgovvirginia.cloudapp.usgovcloudapi.net - 1 entry

But:

That's not good. Read

What IP addresses does Let’s Encrypt use to validate my web server?

We don’t publish a list of IP addresses we use to validate, because they may change at any time. In the future we may validate from multiple IP addresses at once.

And

The feature we’re most excited about is multi-perspective validation. Currently, when a subscriber requests a certificate, we validate domain control from a single network perspective.
...
The solution we intend to deploy in 2019 is multi-perspective validation, in which we will check from multiple network perspectives (distinct Autonomous Systems).

So Letsencrypt will check your server with different ip addresses.

Result: Your solution can't work.

Juergen,
Thanks for the reply.
I have manually updated the cert by setting a NSG rule that will allow ALL traffic in and out. When the cert renewed, I deleted that rule.
The last time I tried to renew I saw the information about LetsEncrypt not publishing IPs, because they may change. Unfortunately with an Azure NSG there’s no way to allow communication to a host name (ie letsencrypt.org) I don’t know how the proposed “multi-perspective validation” will help either.
I’m sure there are other people in Azure using LetsEncrypt. How are they handling auto-renewal?

Letsencrypt will check a domain from different ip addresses, located in multiple networks.

So one check may come from an US-ip, one from Europe, one from Asia, one from Australia etc. If one check fails, the certificate isn't created.

I don't know. I use Letsencrypt certificates with public visible websites, so there is no ip based filter.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.