I have the same problem.
I'm using the CertifyTheWeb client for Windows.
It seems it can't find the certificate authority:
"Certes.AcmeException: Can not find issuer 'C=US,O=Internet Security Research Group,CN=ISRG Root X1' for certificate 'C=US,O=Let's Encrypt,CN=R3'."
Is there a problem with the issuer?
Hi @marcwilson, and welcome to the LE community forum 
I've moved your post to its' own topic; As your problem description doesn't match the topic you posted it in.
Doubtful.
They issue to millions of certs from it.
You need to check your system.
See if it can connect to any sites that use LE certs.
If not, then you should update the ca-certificates.
You probably just need to upgrade Certify the Web to any half-recent version; I think what you're seeing is a known bug in early versions.
That could be it!
Their latest is: version 6.0.15.0
Thanks.
I've had certifcates on marqueehireguide.com (and variants) since 2018.
I recently added certificates for test.marqueehireguide.com and demo.marqueehireguide.com on a different server.
All of which seemed to go well.
But the first auto-renewal since then on the original server seems to have failed, and I'm wondering if adding the new server has somehow confused the issue.
I'm not an expert at this, by any means.
The certificate on the live server says it expires in 66 days, so this isn't a panic situtation, yet...
When I run a test from CertifyTheWeb, it's saying that it passes the verification, but its failing to get a refresh.
But I'm failing to understand where it's going wrong.
All the sites are working, for now.
The tests are throwing up some issues..
It says Success
All tests completed OK
Application Pool: Configuration Override Enabled
Built-in Http Challenge Server process unavailable or could not start. Challenge responses will fall back to IIS.
CheckDNS: 'marqueehireguide.com' resolved to an IP Address 212.113.217.181.
CheckDNS: 'marqueehireguide.com' DNS error resolving DnsSecRecursiveDnsResolver - Could not resolve marqueehireguide.com.
CheckDNS: 'marqueehireguide.co.uk' resolved to an IP Address 212.113.217.181.
CheckDNS: 'marqueehireguide.co.uk' DNS error resolving DnsSecRecursiveDnsResolver - Could not resolve marqueehireguide.co.uk.
CheckDNS: 'www.marqueehireguide.co.uk' resolved to an IP Address 212.113.217.181.
CheckDNS: 'www.marqueehireguide.co.uk' DNS error resolving DnsSecRecursiveDnsResolver - Could not resolve www.marqueehireguide.co.uk.
CheckDNS: 'www.marqueehireguide.com' resolved to an IP Address 212.113.217.181.
CheckDNS: 'www.marqueehireguide.com' DNS error resolving DnsSecRecursiveDnsResolver - Could not resolve www.marqueehireguide.com.
Verified URL is accessible: http://www.marqueehireguide.com/.well-known/acme-challenge/configcheck
Verified URL is accessible: http://marqueehireguide.co.uk/.well-known/acme-challenge/configcheck
Verified URL is accessible: http://www.marqueehireguide.co.uk/.well-known/acme-challenge/configcheck
Verified URL is accessible: http://www.marqueehireguide.com/.well-known/acme-challenge/configcheck
Is something goosed in my DNS?
I'll try that. The odd thing is that it's worked for ages.
That looks like a DNSSEC problem.
Who is your DSP?
Check your sites with: DNSViz | A DNS visualization tool
I'm not clued up on DNSSEC.
DNS is held by cloudheroes.
OK, I've gone in and added DNSSEC and it's cleared those errors.
I've used the DNSViz and it's complaining about various things, which I don't understand, but I'm not convinced they are relevant here.
I've tried renewing again and I'm getting an error complaining about rate limits.2024-02-25 03:37:25.451 +00:00 [INF] [Progress] All Tests Completed OK 2024-02-25 03:45:00.557 +00:00 [INF] ---- Beginning Request [MarqueeHire] ---- 2024-02-25 03:45:00.575 +00:00 [INF] Certify/6.0.15.0 (Windows; Microsoft Windows NT 6.1.7601 Service Pack 1) 2024-02-25 03:45:00.583 +00:00 [INF] Beginning certificate request process: MarqueeHire using ACME provider Anvil 2024-02-25 03:45:00.583 +00:00 [INF] The selected Certificate Authority is: Let's Encrypt 2024-02-25 03:45:00.584 +00:00 [INF] Requested identifiers to include on certificate: marqueehireguide.com [dns];marqueehireguide.co.uk [dns];www.marqueehireguide.co.uk [dns];www.marqueehireguide.com [dns] 2024-02-25 03:45:21.441 +00:00 [WRN] Fail to load resource from 'https://acme-v02.api.letsencrypt.org/acme/new-order'. urn:ietf:params:acme:error:rateLimited: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: marqueehireguide.co.uk,marqueehireguide.com,www.marqueehireguide.co.uk,www.marqueehireguide.com, retry after 2024-02-26T06:05:02Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/ 2024-02-25 03:45:21.441 +00:00 [WRN] Encountered a rate limit while communicating with the ACME API 2024-02-25 03:45:21.441 +00:00 [ERR] urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: marqueehireguide.co.uk,marqueehireguide.com,www.marqueehireguide.co.uk,www.marqueehireguide.com, retry after 2024-02-26T06:05:02Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/ 2024-02-25 03:45:21.441 +00:00 [INF] Performing Post-Request (Deployment) Tasks.. 2024-02-25 03:45:21.452 +00:00 [INF] Task [[Post-Request Webhook]] :: Task will run for any status 2024-02-25 03:45:32.499 +00:00 [INF] Webhook invoked: Url: https://marqueehireguide.com/cert/status, Success: True, StatusCode: 200 2024-02-25 03:45:32.499 +00:00 [INF] Webhook invoked: Url: https://marqueehireguide.com/cert/status, Success: True, StatusCode: 200 2024-02-25 03:45:32.500 +00:00 [INF] [Post-Request Webhook] :: Task Completed OK 2024-02-25 04:00:02.642 +00:00 [INF] [Progress] All Tests Completed OK
Not quite done with that: The delegation from .com hasn't been made.
[that part requires matching entries at your domain registrar]
This is a bit serious:
Where are those certs?
[or, at least, the last one issued]
The "too many certificates" rate limit is most likely just from the previous error where the app was ordering the certs successfully then failing to build the pfx. This error will automatically clear itself within 7 days and the renewal will continue as normal.
The error Built-in Http Challenge Server process unavailable or could not start. Challenge responses will fall back to IIS. is a bit unusual and I suggest a reboot if you keep seeing that.
LOL, Windows.. snickers
The default chain has changed recently, probably that's what triggered the problem in your older version of the client. Did you upgrade already?
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.