Hi.
Forgive my simple question. I am unable to renew my licence. I get the error shown below.
Thank you very much for your help
My domain is: sagcm.crsoncloud.it
I ran this command: certbot -v certonly --force-renew -d sagcm.crsoncloud.it
It produced this output:
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate for sagcm.crsoncloud.it
Performing the following challenges:
http-01 challenge for sagcm.crsoncloud.it
Input the webroot for sagcm.crsoncloud.it: (Enter 'c' to cancel): C:\inetpub\wwwroot\ServiceAGCM
Creating a web.config file in C:\inetpub\wwwroot\ServiceAGCM.well-known\acme-challenge to allow IIS to serve challenge files.
Waiting for verification...
Challenge failed for domain sagcm.crsoncloud.it
http-01 challenge for sagcm.crsoncloud.it
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: sagcm.crsoncloud.it
Type: unauthorized
Detail: 185.221.175.251: Invalid response from http://sagcm.crsoncloud.it/.well-known/acme-challenge/VQWfXqN5sS__8AlM354sDRMw0YRDCZS21drnHBnij8Y: 403
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Cleaning up challenges
Cleaning web.config file generated by Certbot in C:\inetpub\wwwroot\ServiceAGCM\.well-known\acme-challenge.
Some challenges have failed.
My web server is (include version): IIS (Windows Server 2022 - ver 21H2)
The operating system my web server runs on is (include version): windows
My hosting provider, if applicable, is: register.it
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.9.0
I would advice you to switch to a different ACME client. See the link above where some suggestions are made or e.g. ACME Client Implementations - Let's Encrypt for some options.
Also: don't use any "force" option if you don't know what it does: it does NOT magically make a failing challenge suddenly succeed.
Sorry, but they don't know these things well.
Using ‘certify certificate manager’ I created a new certificate.
Everything is OK, although I don't really understand it.
The above implies a missing path separator before \.well-known but certbot also doesn't know how to configure IIS to serve extensionless files or to disable existing content handlers (such as a content management system etc).
The reason it works with Certify Certificate Manager (which I develop) is because it runs its own temporary http challenge listener for /.well-known/acme-challenge requests in the HTTP pipeline (via http.sys) in front of IIS. If that challenge listener cannot run for some reason it can fall back to using IIS (including detecting the correct website root path automatically and auto configuring the challenge file handling).