Problems renewing the certificate

Here are the logs of the certificate renewal attempt for the domain agents.italpannelli.it

C:\win-acme>wacs.exe --renew --force --verbose
[VERB] Verbose mode logging enabled
[VERB] ExePath: C:\win-acme\wacs.exe
[VERB] ResourcePath: C:\win-acme
[VERB] PluginPath: C:\win-acme
[VERB] Looking for settings.json in C:\win-acme
[DBUG] Config folder: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org
[DBUG] Log path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Log
[DBUG] Cache path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates
[DBUG] secrets.json not found
[VERB] Arguments: --renew --force --verbose
[DBUG] Renewal period: 55 days
[VERB] Sending e-mails False

[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.1.18.1119 (release, pluggable, standalone, 64-bit)
[INFO] Connecting to https://acme-v02.api.letsencrypt.org/...
[VERB] SecurityProtocol setting: SystemDefault
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory
[VERB] Request completed with status OK
[DBUG] Connection OK!
[DBUG] IIS version 10.0
[DBUG] Running with administrator credentials
[INFO] Scheduled task looks healthy
[INFO] Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)
[VERB] Unicode display test: Chinese/語言 Russian/язык Arab/لغة
[VERB] Checking renewals

[DBUG] Scanning IIS site bindings for hosts
[VERB] 1 named bindings found in IIS
[DBUG] Filtering by site(s) [1]
[VERB] 1 bindings remaining after site filter
[VERB] No host filter applied
[VERB] 1 matching binding found
[DBUG] Scanning IIS sites
[VERB] Adding 8.8.8.8 as DNS server
[VERB] Adding 1.1.1.1 as DNS server
[VERB] Adding 8.8.4.4 as DNS server
[VERB] Targeted convert into 1 order(s)
[INFO] Force renewing certificate for [IIS] Default Web Site, (any host)
[VERB] Handle order 1/1: Main
[VERB] Creating order for hosts: ["DnsName: prod.domain.com"]
[VERB] Constructing ACME protocol client...
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory
[VERB] Request completed with status OK
[DBUG] Loading signer from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Signer_v2
[DBUG] Loading account from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Registration_v2
[VERB] Using existing ACME account
[VERB] ACME client initialized
[DBUG] Send HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce
[VERB] Request completed with status OK
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/new-order
[VERB] Request completed with status Created
[VERB] Order https://acme-v02.api.letsencrypt.org/acme/order/128930115/26887664700 created
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/33955159130
[VERB] Request completed with status OK
[VERB] Handle authorization 1/1
[INFO] [prod.domain.com] Authorizing...
[VERB] [prod.domain.com] Initial authorization status: pending
[VERB] [prod.domain.com] Challenge types available: ["http-01", "dns-01", "tls-alpn-01"]
[VERB] [prod.domain.com] Initial challenge status: pending
[INFO] [prod.domain.com] Authorizing using http-01 validation (SelfHosting)
[VERB] Starting commit stage
[VERB] Commit was succesful
[DBUG] [prod.domain.com] Submitting challenge answer
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/33955159130/lVhrBg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (1/15)
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/33955159130/lVhrBg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (2/15)
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/33955159130/lVhrBg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (3/15)
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/33955159130/lVhrBg
[VERB] Request completed with status OK
[EROR] [prod.domain.com] Authorization result: invalid
[EROR] [prod.domain.com] {
"type": "urn:ietf:params:acme:error:connection",
"detail": "Fetching http://prod.domain.com/.well-known/acme-challenge/YyEqLTY678IbIe5sLHSn1pg2nM_KJwBRtwxDXwk4daQ: Timeout during connect (likely firewall problem)",
"status": 400
}
[VERB] Starting post-validation cleanup
[VERB] Post-validation cleanup was succesful
[EROR] Renewal for [IIS] Default Web Site, (any host) failed, will retry on next run
[VERB] Exiting with status code -1

The URL

http://agents.italpannelli.it/.well-known/acme-challenge/YyEqLTY678IbIe5sLHSn1pg2nM_KJwBRtwxDXwk4daQ

can be reached from the internet I tried creating a file in the folder "/.well-known/acme-challenge" without an extension such as "YyEqLTY678IbIe5sLHSn1pg2nM_KJwBRtwxDXwk4daQ" with a sample text inside and publicly I reach it and see the text in the browser.
Unfortunately I continue to have errors in the certificate renewal, I have neither DNS records nor network inauguration in IPv6.

The web server is an IIS on Windows server 2019.

On the firewall I have no blocks of any kind (for example geo ip and etc.)

I thank you for the time you dedicate to me.
Hello

1 Like

@Pistacchio00 Welcome to the community.

Thanks for the very detailed report. I am a little confused why the log file shows prod.domain.com but the domain at the top and your sample url for /.well-known/acme-challenge/... was for agents.italpannelli.it

Looking just at that url, I got:

curl -I http://agents.italpannelli.it
curl: (6) Could not resolve host: agents.italpannelli.it

I did not see any DNS for that name either.

2 Likes

sorry I had changed the log below the correct log
wacs.exe --renew --force --verbose
[VERB] Verbose mode logging enabled
[VERB] ExePath: c:\win-acme\wacs.exe
[VERB] ResourcePath: c:\win-acme
[VERB] PluginPath: c:\win-acme
[VERB] Looking for settings.json in c:\win-acme
[DBUG] Config folder: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org
[DBUG] Log path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Log
[DBUG] Cache path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates
[DBUG] secrets.json not found
[VERB] Arguments: --renew --force --verbose
[DBUG] Renewal period: 55 days
[VERB] Sending e-mails False

[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.1.18.1119 (release, pluggable, standalone, 64-bit)
[INFO] Connecting to https://acme-v02.api.letsencrypt.org/...
[VERB] SecurityProtocol setting: SystemDefault
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory
[VERB] Request completed with status OK
[DBUG] Connection OK!
[DBUG] IIS version 10.0
[DBUG] Running with administrator credentials
[INFO] Scheduled task looks healthy
[INFO] Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)
[VERB] Unicode display test: Chinese/語言 Russian/язык Arab/لغة
[VERB] Checking renewals

[DBUG] Scanning IIS site bindings for hosts
[VERB] 1 named bindings found in IIS
[DBUG] Filtering by site(s) [1]
[VERB] 1 bindings remaining after site filter
[VERB] No host filter applied
[VERB] 1 matching binding found
[DBUG] Scanning IIS sites
[VERB] Adding 8.8.8.8 as DNS server
[VERB] Adding 1.1.1.1 as DNS server
[VERB] Adding 8.8.4.4 as DNS server
[VERB] Targeted convert into 1 order(s)
[INFO] Force renewing certificate for [IIS] Default Web Site, (any host)
[VERB] Handle order 1/1: Main
[VERB] Creating order for hosts: ["DnsName: agenti.italpannelli.it"]
[VERB] Constructing ACME protocol client...
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory
[VERB] Request completed with status OK
[DBUG] Loading signer from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Signer_v2
[DBUG] Loading account from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Registration_v2
[VERB] Using existing ACME account
[VERB] ACME client initialized
[DBUG] Send HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce
[VERB] Request completed with status OK
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/new-order
[VERB] Request completed with status Created
[VERB] Order https://acme-v02.api.letsencrypt.org/acme/order/128930115/27630889230 created
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/34856458480
[VERB] Request completed with status OK
[VERB] Handle authorization 1/1
[INFO] [agenti.italpannelli.it] Authorizing...
[VERB] [agenti.italpannelli.it] Initial authorization status: pending
[VERB] [agenti.italpannelli.it] Challenge types available: ["http-01", "dns-01", "tls-alpn-01"]
[VERB] [agenti.italpannelli.it] Initial challenge status: pending
[INFO] [agenti.italpannelli.it] Authorizing using http-01 validation (SelfHosting)
[VERB] Starting commit stage
[VERB] Commit was succesful
[DBUG] [agenti.italpannelli.it] Submitting challenge answer
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/34856458480/DjWxbg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (1/15)
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/34856458480/DjWxbg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (2/15)
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/34856458480/DjWxbg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (3/15)
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/34856458480/DjWxbg
[VERB] Request completed with status OK
[EROR] [agenti.italpannelli.it] Authorization result: invalid
[EROR] [agenti.italpannelli.it] {
"type": "urn:ietf:params:acme:error:connection",
"detail": "Fetching http://agenti.italpannelli.it/.well-known/acme-challenge/CVwbeLJwR9AOhwx-ajUHhjDrtVSmTWlPdE__fxH8St8: Timeout during connect (likely firewall problem)",
"status": 400
}
[VERB] Starting post-validation cleanup
[VERB] Post-validation cleanup was succesful
[EROR] Renewal for [IIS] Default Web Site, (any host) failed, will retry on next run
[VERB] Exiting with status code -1

1 Like

OK. I see you are now using domain: agenti.italpannelli.it

Using Lets Debug also gives a timeout like you saw:

This needs to be resolved before you can receive a cert using the http challenge.

I see the DNS points to IP: 46.37.225.37

Are you sure this is the IP of the server? You can check with
curl -4 ifconfig.co
That IP has a name ending with wifi.iptelecom.it.

Also, as the error message suggests, look (again) at any router and/or firewall(s) to ensure they are handling the incoming requests correctly.

If you need more help, please explain the kind of equipment you connect to the internet with and perhaps someone will be able to help.

Update: Added -4 to curl example

2 Likes

sorry for the time I made you waste actually there was a different addressing for the http protocol only

thanks for your patience

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.