Renewal is failing status 400

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain

I ran this command:C:\win-acme>wacs.exe --renew --baseuri ""

It produced this output: A simple Windows ACMEv2 client (WACS)
Software version (release, pluggable, standalone, 64-bit)
Connecting to
Scheduled task execution time limit mismatch
Scheduled task exists but does not look healthy
Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)

Renewing certificate for [IIS] Default Web Site, (any host)
[] Authorizing...
[] Authorizing using http-01 validation (SelfHosting)
[] Authorization result: invalid
[] {
"type": "urn:ietf:params:acme:error:connection",
"detail": " Fetching
cme-challenge/qqZTePtG2Y_vHyevJRXZIxoC4Sr8sh0JPdlge1bMlMk: Connection reset by p
"status": 400
Renewal for [IIS] Default Web Site, (any host) failed, will retry on next run

My web server is (include version):IIS 8

The operating system my web server runs on is (include version):Windows Server 2012

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): A simple Windows ACMEv2 client (WACS)
Software version (release, pluggable, standalone, 64-bit)
Connecting to

1 Like

Resolved, even though port 80 was allowed via our PaloAlto firewall and this had always worked before, a new application definition must have explicitly identified the traffic as acme-protocol and not just web browsing which was allowed, so it dropped the traffic. After allowing acme-protocol the authentication worked as expected.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.