Renewal is failing status 400

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:portal.norfolkiron.com

I ran this command:C:\win-acme>wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"

It produced this output: A simple Windows ACMEv2 client (WACS)
Software version 2.1.18.1119 (release, pluggable, standalone, 64-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...
Scheduled task execution time limit mismatch
Scheduled task exists but does not look healthy
Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)

Renewing certificate for [IIS] Default Web Site, (any host)
[portal.norfolkiron.com] Authorizing...
[portal.norfolkiron.com] Authorizing using http-01 validation (SelfHosting)
[portal.norfolkiron.com] Authorization result: invalid
[portal.norfolkiron.com] {
"type": "urn:ietf:params:acme:error:connection",
"detail": "173.224.26.71: Fetching http://portal.norfolkiron.com/.well-known/a
cme-challenge/qqZTePtG2Y_vHyevJRXZIxoC4Sr8sh0JPdlge1bMlMk: Connection reset by p
eer",
"status": 400
}
Renewal for [IIS] Default Web Site, (any host) failed, will retry on next run

My web server is (include version):IIS 8

The operating system my web server runs on is (include version):Windows Server 2012

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): A simple Windows ACMEv2 client (WACS)
Software version 2.1.18.1119 (release, pluggable, standalone, 64-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...

1 Like

Resolved, even though port 80 was allowed via our PaloAlto firewall and this had always worked before, a new application definition must have explicitly identified the traffic as acme-protocol and not just web browsing which was allowed, so it dropped the traffic. After allowing acme-protocol the authentication worked as expected.

2 Likes