Pleas help! Ssl exchange server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:cg.ru

I ran this command:wacs.exe --target manual --host mail.cg.ru,pool.cg.ru,autodiscover.cg.ru,cg-sr-exch.cg.ru --certificatestore My --acl-fullcontrol “network service,administrators” --installation iis,script --installationsiteid 1 --script “./Scripts/ImportExchange.ps1” --scriptparameters “’{CertThumbprint}’ ‘IIS,SMTP,IMAP’ 1 ‘{CacheFile}’ ‘{CachePassword}’ ‘{CertFriendlyName}’”

It produced this output:
A simple Windows ACMEv2 client (WACS)
Software version 2.1.9.870 (RELEASE, PLUGGABLE)
ACME server https://acme-v02.api.letsencrypt.org/
IIS version 10.0
Running with administrator credentials
Scheduled task looks healthy
Please report issues at https://github.com/win-acme/win-acme
Running in mode: Unattended
Target generated using plugin Manual: mail.cg.ru and 3 alternatives
Overwriting previously created renewal

[autodiscover.cg.ru] Authorizing…
[autodiscover.cg.ru] Authorizing using http-01 validation (SelfHosting)
[cg-sr-exch.cg.ru] Authorizing…
[cg-sr-exch.cg.ru] Authorizing using http-01 validation (SelfHosting)
[mail.cg.ru] Authorizing…
[mail.cg.ru] Authorizing using http-01 validation (SelfHosting)
[pool.cg.ru] Authorizing…
[pool.cg.ru] Authorizing using http-01 validation (SelfHosting)
[autodiscover.cg.ru] Authorization result: invalid
[autodiscover.cg.ru] {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://autodiscover.cg.ru/.well-known/acme-challenge/FZbjBDbDplMebl7WUniRIz8iCNLcjzXekRcPNbfLpso: Connection refused”,
“status”: 400
}
[cg-sr-exch.cg.ru] Authorization result: invalid
[cg-sr-exch.cg.ru] {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://cg-sr-exch.cg.ru/.well-known/acme-challenge/vrA7iY__2PgD0Agy6rl6j1hjJ6N_nvPVnyfEf6mPzbc: Connection refused”,
“status”: 400
}
[mail.cg.ru] Authorization result: invalid
[mail.cg.ru] {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://mail.cg.ru/.well-known/acme-challenge/zRk2WRBq-mk-2KC-nVBQWGZq_IFe-Ezi8uPmAN0saS8: Connection refused”,
“status”: 400
}
[pool.cg.ru] Authorization result: invalid
[pool.cg.ru] {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://pool.cg.ru/.well-known/acme-challenge/jYvHOqSdovxSRDIPtwM55sD8UmE6e127N6cGQmpafdw: Connection refused”,
“status”: 400
}
Create certificate failed: [autodiscover.cg.ru] Validation failed
- [cg-sr-exch.cg.ru] Validation failed
- [mail.cg.ru] Validation failed
- [pool.cg.ru] Validation failed

C:\LetsEncrypt>

The operating system my web server runs on is (include version):winserver 2019

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):Software version 2.1.9.870
I am trying to create a SSL certificate for Exchange Server 2019. Here is such an error, what am I doing wrong?

Hello @santassq

Your going to need to add some records in your DNS to provide for your subdomains.

Hope this helps.
Rip

2 Likes

Can you please tell me which record should I add? I do not understand(((

Hello @santassq

The image you uploaded is confusing because much of the informaton needed is not visible for analysis. Certainly what can be seen does not fully match what can be discovered with simple network tools.

Are your subdomains all hosted on the same server? Different servers? Same location(s)? Various countrys?, Multiple DNS providers, etc?

Everything I see on the 217.198.x.x network is visible and seems to be working (from OREGON USA).

cg.ru resolves to address: 217.198.8.190 and is accessible from the internet and is serving a valid LE certificate. It works!

LetsDebug agrees:
https://letsdebug.net/cg.ru/225194

mail.cg.ru resolves to address: 217.198.1.91, is accessible from the internet and has a valid LE certificate. It works!

LetsDebug agrees:
https://letsdebug.net/mail.cg.ru/225184

Opportunity to correct:
autodiscover.cg.ru does not resolve to any address from my location.
No valid A or AAAA records could be ultimately resolved for autodiscover.cg.ru
https://letsdebug.net/autodiscover.cg.ru/225183

Opportunity to correct:
pool.cg.ru does not resolve to any address from my location.
No valid A or AAAA records could be ultimately resolved for pool.cg.ru
https://letsdebug.net/pool.cg.ru/225181

Opportunity to correct:
cg-sr-exch.cg.ru does not resolve to any address from my location.
No valid A or AAAA records could be ultimately resolved for cg-sr-exch.cg.ru
https://letsdebug.net/cg-sr-exch.cg.ru/225180

No valid A or AAAA records could be resolved for three checked subdomains of cg.ru. This means that Let’s Encrypt would not be able to to connect to your domain to perform HTTP validation, since it would not know where to connect to. (No A or AAAA records found)

This is confirmed by @JuergenAuer s Check Your Website tool.

The bottom line is you need to fix your DNS issue(s).

Wish I was a magician, but I fall short.

Rip

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.