Sans autodiscover and owa fail

Cert for mail.mitchellfirerescue.org install ok. In fact I may have messed up when I first installed a cert using the new cert command for simple IIS. I later tried using manual to install additional Sans but not getting the error. Can I remove/revoke the certs from Lets Encrypt and start over? Or fix the existing failure

My domain is: MitchellFireRescue.org

I ran this command: M to add 2 sans (autodiscover and owa to mail.mitchellfirerescue.org

It produced this output:
N: Create new certificate (simple for IIS)
M: Create new certificate (full options)
R: Run scheduled renewals (0 currently due)
A: Manage renewals (2 total)
O: More options…
Q: Quit

Please choose from the menu: mail.mitchellfirerescue.org,autodiscover.mitchellfirerescue.org,owa.mitchellfirerescue.org

Please choose from the menu: m

Running in mode: Interactive, Advanced

Please specify how the list of domain names that will be included in the
certificate should be determined. If you choose for one of the “all bindings”
options, the list will automatically be updated for future renewals to
reflect the bindings at that time.

1: IIS
2: Manual input
3: CSR created by another program
C: Abort

How shall we determine the domain(s) to include in the certificate?: 2

Enter comma-separated list of host names, starting with the common name: mail.mitchellfirerescue.org,autodiscover.mitchellfirerescue.org,owa.mitchellfirerescue.org

Target generated using plugin Manual: mail.mitchellfirerescue.org and 2 alternatives

Suggested friendly name ‘[Manual] mail.mitchellfirerescue.org’, press to accept or type an alternative:

The ACME server will need to verify that you are the owner of the domain
names that you are requesting the certificate for. This happens both during
initial setup and for every future renewal. There are two main methods of
doing so: answering specific http requests (http-01) or create specific dns
records (dns-01). For wildcard domains the latter is the only option. Various
additional plugins are available from https://github.com/win-acme/win-acme/.

1: [http-01] Save verification files on (network) path
2: [http-01] Serve verification files from memory
3: [http-01] Upload verification files via FTP(S)
4: [http-01] Upload verification files via SSH-FTP
5: [http-01] Upload verification files via WebDav
6: [dns-01] Create verification records manually (auto-renew not possible)
7: [dns-01] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
8: [dns-01] Create verification records with your own script
9: [tls-alpn-01] Answer TLS verification request from win-acme
C: Abort

How would you like prove ownership for the domain(s) in the certificate?: 2

After ownership of the domain(s) has been proven, we will create a
Certificate Signing Request (CSR) to obtain the actual certificate. The CSR
determines properties of the certificate like which (type of) key to use. If
you are not sure what to pick here, RSA is the safe default.

1: Elliptic Curve key
2: RSA key

What kind of private key should be used for the certificate?: 2

When we have the certificate, you can store in one or more ways to make it
accessible to your applications. The Windows Certificate Store is the default
location for IIS (unless you are managing a cluster of them).

1: IIS Central Certificate Store (.pfx per domain)
2: PEM encoded files (Apache, nginx, etc.)
3: Windows Certificate Store
4: No (additional) store steps
C: Abort

How would you like to store the certificate?: 3

1: IIS Central Certificate Store (.pfx per domain)
2: PEM encoded files (Apache, nginx, etc.)
3: No (additional) store steps
C: Abort

Would you like to store it in another way too?: 3

With the certificate saved to the store(s) of your choice, you may choose one
or more steps to update your applications, e.g. to configure the new
thumbprint, or to update bindings.

1: Create or update https bindings in IIS
2: Create or update ftps bindings in IIS
3: Start external script or program
4: No (additional) installation steps

Which installation step should run first?: 1

1: Default Web Site
2: Exchange Back End

Choose site to create new bindings: 1

1: Create or update ftps bindings in IIS
2: Start external script or program
3: No (additional) installation steps

Add another installation step?: 3

Cached authorization result: valid
Authorize identifier: owa.mitchellfirerescue.org
Authorizing owa.mitchellfirerescue.org using http-01 validation (SelfHosting)
{
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://owa.mitchellfirerescue.org/.well-known/acme-challenge/fXSnkRltRhP2HbFmh_RxxUM1085xkZtbp5bMvmT5e-c: Connection refused”,
“status”: 400
}
Authorization result: invalid

Create certificate failed, retry? (y/n*) - yes

Authorize identifier: autodiscover.mitchellfirerescue.org
Authorizing autodiscover.mitchellfirerescue.org using http-01 validation (SelfHosting)
{
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://autodiscover.mitchellfirerescue.org/.well-known/acme-challenge/Zz9FN55zaUJoShNk8QTrMY9yxTOxssWIp69c48rxZqo: Connection refused”,
“status”: 400
}
Authorization result: invalid

Create certificate failed, retry? (y/n*)

My web server is (include version): windows iis 10

The operating system my web server runs on is (include version): Sever 2016

My hosting provider, if applicable, is: Godaddy for just DNS records

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

Although you did provide a lot of text, I fail to find the PROGRAM you are using.
[maybe it got lost in all that text]

Based on the prompts shown, it is NOT certbot.
Have you also tried the program provider web site for help?

Can you place a test text file in the expected challenge folder and reach it from the Internet via HTTP?

1 Like

Hi @busmechanic

read your output.

That url doesn’t work. https answers.

But you need a working http port to validate your domain.

So create one.

Same with your other not working subdomain. https works, http doesn’t answer.

2 Likes

That installed the 2 sans and all is working. Question: Does the new cert show up in Exchange admin center under Certificates or just in IIS? not seeing it in EAC?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.