Renewal stuck on connecting to acme-v02.api.letsencrypt.org

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: tngsfc.org, www.tngsfc.org, tngsfc.com, www.tngsfc.com

I ran this command:C:\win-acme.v2.1.22.1267.x64.trimmed\wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"

So when the auto renewal scheduled task runs, the above output is all I see, it never progresses beyond trying to connect. I checked on Let's Debug, and the site passed an http-01 test. It worked flawlessly when initially setting up the certificate. This is the first time it's tried to renew.

It produced this output: A simple Windows ACMEv2 client (WACS)
Software version 2.1.22.1267 (release, trimmed, standalone, 64-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...

My web server is (include version):IIS 10.0.17763.1

The operating system my web server runs on is (include version): Windows Server 2019 Standard

My hosting provider, if applicable, is:Server instance running on Amazon Web Services

I can login to a root shell on my machine (yes or no, or I don't know):Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):2.1.22.1267

Hi @funkmotor, and welcome to the LE community forum :slight_smile:

I'd check the system for:

  • dns
  • outbound HTTPS connections
2 Likes

I can ping acme-v02.api.letsencrypt.org with no problem, so DNS seems to be working. I have an outbound rule in the AWS firewall to allow HTTPS (port 443), and I have turned off Windows Defender firewall entirely. When I run the renew command from a command prompt, it just sits on "Connecting to "https://acme-v02.api.letsencrypt.org/"..." until I close the window.

I'm not familiar with WACS, so I won't be much help there.
Is that their latest version?
Do they have an active support channel?
Are you willing to try some other Windows ACME client?

3 Likes

OK, first off I want to say thank you, rg305, for your incredibly prompt response, and your attempt to help.

I have figured out the issue and the renewal just ran with no errors. The short version of the fix is: I'm dumb. The long version of the fix is: I rebooted the server and ran the update command. I mean, I did the number one, most basic thing one should do, but I did it last instead of first. Sometimes I wonder how I've kept my job for so long....

Anyway, thanks again for your help. I really appreciate it.

6 Likes

I would be more worried if you did that (reboot and fixed it) and still kept trying even more stuff - LOL
The thing that works it always last :slight_smile:

4 Likes

Slightly off-topic but I actually found out the other day that the win-acme brand+repo is officially owned by ZeroSSL via Stack Holdings Gmbh (they just don't contribute any code to it, that's done by an enthusiastic volunteer), so if you do need win-acme support you should be able to ask ZeroSSL support, especially if a paying customer.

You can get (volunteer) support here: Discussions · win-acme/win-acme · GitHub

Regarding your original problem windows firewall can be a bit sticky and sometimes changing the rules (e.g. allowing outbound https) doesn't really take effect until you reboot.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.