Renew ends in error and pending, unsure why

My domain is: fp.transmar.fi

I ran this command/ It produced this output:

C:\Program Files (x86)\LetsEncryptWACS2>wacs.exe --renew --verbose --baseuri "https://acme-v02.api.letsencrypt.org/"
[VERB] Verbose mode logging enabled
[VERB] Looking for settings.json in C:\Program Files (x86)\LetsEncryptWACS2
[DBUG] Config folder: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org
[DBUG] Log path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Log
[DBUG] Cache path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates
[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.1.2.641 (RELEASE, PLUGGABLE)
[INFO] IIS version 10.0
[INFO] Running with administrator credentials
[INFO] Scheduled task looks healthy
[INFO] Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)
[VERB] Test for international support: 語言 язык لغة
[VERB] Verbose mode logging enabled
[VERB] Arguments: --renew --verbose --baseuri https://acme-v02.api.letsencrypt.org/
[DBUG] Renewal period: 55 days
[VERB] Checking renewals
[VERB] Sending e-mails False
[DBUG] Scanning IIS site bindings for hosts
[VERB] 1 named bindings found in IIS
[DBUG] Filtering by site(s) [1]
[VERB] 1 bindings remaining after site filter
[DBUG] Filtering by host: ^(fp.transmar.fi)$
[VERB] 1 bindings remaining after host filter
[VERB] 1 matching bindings found
[VERB] Checking [IIS] site 1 fp.transmar.fi
[INFO] Renewing certificate for [IIS] site 1 fp.transmar.fi
[VERB] Loading ACME account signer...
[DBUG] Loading signer from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Signer_v2
[VERB] Constructing ACME protocol client...
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory
[VERB] Request completed with status OK
[DBUG] Send HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce
[VERB] Request completed with status OK
[DBUG] Loading account information from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Registration_v2
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/new-order
[VERB] Request completed with status Created
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/85870921400
[VERB] Request completed with status OK
[INFO] Authorize identifier: fp.transmar.fi
[INFO] Authorizing fp.transmar.fi using http-01 validation (SelfHosting)
[DBUG] Submitting challenge answer
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/85870921400/D_wFjg
[VERB] Request completed with status OK
[VERB] SelfHosting plugin serving file /.well-known/acme-challenge/tKpudGpcxiM2J68Fot97K21iQLQn5Sn3q2PKZEu6Pms
[VERB] SelfHosting plugin serving file /.well-known/acme-challenge/tKpudGpcxiM2J68Fot97K21iQLQn5Sn3q2PKZEu6Pms
[VERB] SelfHosting plugin serving file /.well-known/acme-challenge/tKpudGpcxiM2J68Fot97K21iQLQn5Sn3q2PKZEu6Pms
[DBUG] Refreshing authorization (1/4)
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/85870921400/D_wFjg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (2/4)
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/85870921400/D_wFjg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (3/4)
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/85870921400/D_wFjg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (4/4)
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/85870921400/D_wFjg
[VERB] Request completed with status OK
[EROR] Authorization result: pending
[EROR] Renewal for [IIS] site 1 fp.transmar.fi failed, will retry on next run
[VERB] Exiting with status code 0

My web server is (include version): IIS 10

The operating system my web server runs on is (include version): Windows Server 2016 (self hosted)

This is an installation that has updated nicely with a scheduled task for quite a while with only the occasional hiccup, but now I only get the pending result above. The situation isn't dire, as the cert expires on the 17th, but it's getting to the point I'd like to get it sorted.

The error at the end about pending tells me pretty much nothing, and crt.sh just shows the existing cert being issued in December.

As far as I know nothing has changed on the machine beyond security patching and the like in some months.

Did you change your firewall or anything related to it?

Your log is pretty terse. But using the SelfHosting plugin instead of listening with IIS on port 80 and redirecting to https is not advisable.

Here your acme client lists some debugging steps and usual problems that you should check.

No changes to the firewall, and you can access the site externally on port 80.

Note that it’s recommended to use the default SelfHosting validation plugin in combination with IIS. The FileSystem validation is great of other web servers such as Apache, but using it in combination with IIS leads to many potentials issues, described in the following sections.

I just see a lot of OK and everything looks great until it gets to pending, and doesn't renew. I too agree that is a pretty terse log but that's how it looks with --verbose.

I assumed I couldn't because this takes fifteen seconds.

Are there other issues on your server? Or maybe with your network, your ISP network?

% time curl -IL fp.transmar.fi
HTTP/1.1 200 OK
Content-Length: 703
Content-Type: text/html
Last-Modified: Mon, 28 May 2018 13:38:29 GMT
Accept-Ranges: bytes
ETag: "cf25e92989f6d31:0"
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Wed, 09 Mar 2022 12:54:41 GMT

curl -IL fp.transmar.fi  0.01s user 0.00s system 0% cpu 15.158 total

Mxtoolbox doesn't have issues though.

Connecting to http://fp.transmar.fi
Response time '0.3169731'
LookupServer 318ms

(I really need to sort out a redirect from the IIS start page there but right now it's as plain as can be.)

It's probably some routing issue from either my side or your side.

But this should not block your renewals for 28 days.

Yes, it looks like your client does not tolerate slow connections to the internet very well and at least one validator bot had the same problem as me. Your authorization is valid now and should stay valid for the next 30 days, if you don't change account key: https://acme-v02.api.letsencrypt.org/acme/chall-v3/85870921400/D_wFjg

validated "2022-03-09T11:37:11Z"

You can run your command again.

Awesome. Ran the command again and it renewed. I need to check over everything on my end then, it shouldn't be 15 seconds or more to connect. Whether or not it's here or somewhere on the way is the question. Either way, error cleared and cert is renewed.

You should change these two settings to give it more time: win-acme

I'd leave RetryCount at 15 (yours looks like it's 4), but you should Set RetryInterval to a lot more than 5, like 15 or 20.

It stopped checking after 4*5 = 20 seconds, and it could not be enough. 15*15 is 225 seconds, nearly 4 minutes. It should be fine.

RetryCount

Default: 15

Maximum numbers of times to refresh validation and order status, while waiting for the ACME server to complete its tasks.

RetryInterval

Default: 5

Amount of time in seconds to wait for each retry.

Yeah, while testing I realized you are on an island in the middle of the Baltic. You shouldn't have this issue, but there's a good chance it's not your fault.

True, but we have pretty solid pipes going in both directions, this site is behind a gigabit link and I can reliably get a gigabit speed test to the surrounding nations so it shouldn't be a systematic error. I'll add the increased timeouts, thanks again.

Good, it's more than most of Europe gets

I could only get gigabit links very recently.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.