Problems with renew/create Certificate with IIS [after IP changed]

Hi there,

Im using Let's Encrypt for many years at Linux and Windows. It's now for the first time i'm experiancing problems with the IIS 8.5 client. I have successfully created certificates with ACME, however now its not renewing annymore. I deleted the certificate and tried to create a new certificate alot of times in difrend ways. Because the i use the certificate for vpn i can't publish the domain and its sub.

Before i posted this, i searched for an solution but no luck.

I'm using the newest version of acme: win-acme.v2.1.19.1142.x64.trimmed
I used https://letsdebug.net/ to test the connection no problems detected.
I have created an certificate before without any problems, however the company IP has changed. The acme account details shows its old ip. I have read from another forum that this should not be a problem.
I can access the domain (external ip) with http and https
I'm not able to create the SSL with a file or selfhosting.
Everything looks ok but looks like it can't reach the acme server, i opened port 80 and 443.

Somehow i get the pending status everytime whatever i do. DNS looks fine too, no changes for years.
[EROR] [xxx.xxxxxx.com] Authorization result: pending

I might miss something.. help would be appreciated, thanks in advanced.

See output:

1 --verbose --baseuri https://acme-v02.api.letsencrypt.org/
 [VERB] Verbose mode logging enabled
 [VERB] ExePath: C:\Letsencrypt\win-acme.v2.1.19.1142.x64.trimmed\wacs.exe
 [VERB] ResourcePath: C:\Letsencrypt\win-acme.v2.1.19.1142.x64.trimmed\
 [VERB] PluginPath: C:\Letsencrypt\win-acme.v2.1.19.1142.x64.trimmed\
 [VERB] Looking for settings.json in C:\Letsencrypt\win-acme.v2.1.19.1142.x64.tr
immed\
 [DBUG] Config folder: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org
 [DBUG] Log path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Log
 [DBUG] Cache path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certifi
cates
 [DBUG] secrets.json not found
 [VERB] Arguments: --validationmode dns-01 --verbose --baseuri https://acme-v02.
api.letsencrypt.org/
 [DBUG] Renewal period: 55 days
 [VERB] Sending e-mails False

 [INFO] A simple Windows ACMEv2 client (WACS)
 [INFO] Software version 2.1.19.1142 (release, trimmed, standalone, 64-bit)
 [INFO] Connecting to https://acme-v02.api.letsencrypt.org/...
 [VERB] SecurityProtocol setting: SystemDefault
 [DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory
 [VERB] Request completed with status OK
 [DBUG] Connection OK!
 [DBUG] IIS version 8.5
 [DBUG] Running with administrator credentials
 [INFO] Scheduled task looks healthy
 [INFO] Please report issues at https://github.com/win-acme/win-acme
 [VERB] Unicode display test: Chinese/語言 Russian/язык Arab/لغة

 N: Create certificate (default settings)
 M: Create certificate (full options)
 R: Run renewals (0 currently due)
 A: Manage renewals (0 total)
 O: More options...
 Q: Quit

 Please choose from the menu: n

 [INFO] Running in mode: Interactive, Simple
 [VERB] Adding 8.8.8.8 as DNS server
 [VERB] Adding 192.168.16.201 as DNS server
 [VERB] Adding 8.8.4.4 as DNS server
 [DBUG] Scanning IIS sites
 [DBUG] Scanning IIS site bindings for hosts

 Please select which website(s) should be scanned for host names. You may
 input one or more site identifiers (comma-separated) to filter by those
 sites, or alternatively leave the input empty to scan *all* websites.

 1: VPN (1 binding)

 Site identifier(s) or <Enter> to choose all: 1

 [VERB] 1 named bindings found in IIS
 [DBUG] Filtering by site(s) [1]
 [VERB] 1 bindings remaining after site filter
 [VERB] No host filter applied
 [VERB] 1 matching binding found

 1: xxx.xxxxxx.com (Site 1)

 Listed above are the bindings found on the selected site(s). By default all
 of them will be included, but you may either pick specific ones by typing the
 host names or identifiers (comma-separated) or filter them using one of the
 options from the menu.

 P: Pick bindings based on a search pattern
 A: Pick *all* bindings

 Binding identifiers(s) or menu option: a

 [VERB] 1 named bindings found in IIS
 [DBUG] Filtering by site(s) [1]
 [VERB] 1 bindings remaining after site filter
 [VERB] No host filter applied
 [VERB] 1 matching binding found
 [VERB] 1 named bindings found in IIS
 [DBUG] Filtering by site(s) [1]
 [VERB] 1 bindings remaining after site filter
 [VERB] No host filter applied
 [VERB] 1 matching binding found

 1: xxx.xxxxxx.com (Site 1)

 Continue with this selection? (y*/n) - yes

 [DBUG] Scanning IIS site bindings for hosts
 [VERB] 1 named bindings found in IIS
 [DBUG] Filtering by site(s) [1]
 [VERB] 1 bindings remaining after site filter
 [VERB] No host filter applied
 [VERB] 1 matching binding found
 [DBUG] Scanning IIS sites
 [INFO] Source generated using plugin IIS: xxx.xxxxxx.com
 [VERB] No value provided for --validationport
 [VERB] No value provided for --validationprotocol
 [VERB] Flag --ocsp-must-staple not present
 [VERB] Flag --reuse-privatekey not present
 [VERB] No value provided for --certificatestore
 [VERB] Flag --keepexisting not present
 [VERB] No value provided for --acl-fullcontrol
 [VERB] No value provided for --certificatestore
 [VERB] No value provided for --sslport
 [VERB] No value provided for --sslipaddress

 [DBUG] Scanning IIS site bindings for hosts
 [VERB] 1 named bindings found in IIS
 [DBUG] Filtering by site(s) [1]
 [VERB] 1 bindings remaining after site filter
 [VERB] No host filter applied
 [VERB] 1 matching binding found
 [DBUG] Scanning IIS sites
 [VERB] Targeted convert into 1 order(s)
 [VERB] Checking [IIS] VPN, (any host)
 [VERB] Handle order 1/1: Main
 [VERB] Creating order for hosts: ["DnsName: xxx.xxxxxx.com"]
 [VERB] Constructing ACME protocol client...
 [DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory
 [VERB] Request completed with status OK
 [DBUG] Loading signer from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org
\Signer_v2
 [DBUG] Loading account from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.or
g\Registration_v2
 [VERB] Using existing ACME account
 [VERB] ACME client initialized
 [DBUG] Send HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce

 [VERB] Request completed with status OK
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/new-order

 [VERB] Request completed with status Created
 [VERB] Order https://acme-v02.api.letsencrypt.org/acme/order/62620461/348103397
60 created
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/
43445899420
 [VERB] Request completed with status OK
 [VERB] Handle authorization 1/1
 [INFO] [xxx.xxxxxx.com] Authorizing...
 [VERB] [xxx.xxxxxx.com] Initial authorization status: pending
 [VERB] [xxx.xxxxxx.com] Challenge types available: ["http-01", "dns-01", "tls
-alpn-01"]
 [VERB] [xxx.xxxxxx.com] Initial challenge status: pending
 [INFO] [xxx.xxxxxx.com] Authorizing using http-01 validation (SelfHosting)
 [VERB] Starting commit stage
 [VERB] Commit was succesful
 [DBUG] [xxx.xxxxxx.com] Submitting challenge answer
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/
43445899420/JMmONA
 [VERB] Request completed with status OK
 [DBUG] Refreshing authorization (1/15)
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/
43445899420/JMmONA
 [VERB] Request completed with status OK
 [DBUG] Refreshing authorization (2/15)
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/
43445899420/JMmONA
 [VERB] Request completed with status OK
 [DBUG] Refreshing authorization (3/15)
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/
43445899420/JMmONA
 [VERB] Request completed with status OK
 [DBUG] Refreshing authorization (4/15)
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/
43445899420/JMmONA
 [VERB] Request completed with status OK
 [DBUG] Refreshing authorization (5/15)
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/
43445899420/JMmONA
 [VERB] Request completed with status OK
 [DBUG] Refreshing authorization (6/15)
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/
43445899420/JMmONA
 [VERB] Request completed with status OK
 [DBUG] Refreshing authorization (7/15)
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/
43445899420/JMmONA
 [VERB] Request completed with status OK
 [DBUG] Refreshing authorization (8/15)
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/
43445899420/JMmONA
 [VERB] Request completed with status OK
 [DBUG] Refreshing authorization (9/15)
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/
43445899420/JMmONA
 [VERB] Request completed with status OK
 [DBUG] Refreshing authorization (10/15)
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/
43445899420/JMmONA
 [VERB] Request completed with status OK
 [DBUG] Refreshing authorization (11/15)
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/
43445899420/JMmONA
 [VERB] Request completed with status OK
 [DBUG] Refreshing authorization (12/15)
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/
43445899420/JMmONA
 [VERB] Request completed with status OK
 [DBUG] Refreshing authorization (13/15)
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/
43445899420/JMmONA
 [VERB] Request completed with status OK
 [DBUG] Refreshing authorization (14/15)
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/
43445899420/JMmONA
 [VERB] Request completed with status OK
 [DBUG] Refreshing authorization (15/15)
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/
43445899420/JMmONA
 [VERB] Request completed with status OK
 [EROR] [xxx.xxxxxx.com] Authorization result: pending
 [VERB] Starting post-validation cleanup
 [VERB] Post-validation cleanup was succesful

 Create certificate failed, retry? (y/n*)

The connection to your server via http timed out (Let's Encrypt could not connect to your server).

You need to ensure that external http (TCP port 80) requests to your domain are being forwarded internally to your server that's running the ACME tool. You may have had old firewall rules that did the forwarding for you. You also need to ensure that you are not using geographic IP filtering otherwise some Let's Encrypt validation requests will fail (they could come from any country).

4 Likes

Hi webprofusion, thank you for your time! I have manage to get the SSL working again!

What i did:
I had to change my (Kerio controll) firewall service settings to http. Port 80 was open but just the port not the protocol. Its waird, last renew i used the old settings with 443 port and i didnt touche annything after it.

After the successfull creation of the SSL our VPN was not working, i had to reboot the whole Windows Server to make RRAS working again just RRAS was not enough. Lets hope the renew in 55 days will work automaticly.

2 Likes

Thanks, I've seen similar discussions for RRAS before, there seems to be various lower level service interdependencies and I'm not sure they're well understood. See this related discussion for Certify The Web scripting: Windows Server Essentials 2016 Access Anywhere Certificate renewal script · Issue #519 · webprofusion/certify · GitHub

One option is to renew the certificate (the PFX and the certificate in the local machine store), but only actually apply it during a regular maintenance window (it could be every couple of months), when you get to restart the server. Obviously you will be doing regular windows updates anyway.

4 Likes

I think it will be fine, after 55days its supposed to be renewed automatic so i have more as a month left for a reboot when I do the updates. I think windows stored the certificate deep in its register/memory so its using the old one untill i reboot i think. If not i will change it to the option you advised. Thanks again.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.