Secondary validation timeout

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: wacs.exe --source manual --host --store pemfiles --pemfilespath "C:\temp" --verbose --validation filesystem --validationsiteid 2 --webroot C:\inetpub\ --manualtargetisiis

It produced this output:During secondary validation: Fetching Timeout during connect (likely firewall problem)

My web server is (include version):iis

The operating system my web server runs on is (include version):win server 2022

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):win-acme v2.2.8.1635

i have tried to stop the script while it's trying to have letsencrypt server access the url so that it wouldnt clean up the files and the path it was trying would still be valid. When i do that, i can access the url from outside my network correctly using a browser. I don't know why the path would work for me (from outside of my network) but not for letsencrypt servers.


that's because the web.config and test file have been cleaned up and deleted by win-acme in subsequent test runs.
you can try this link it should work. during win-acme validation step, i would be able to access the challenge url similar to the one below from outside my network. however win-acme would still report secondary validation fail in accessing said link and then it cleans up afterwards and remove the test file and web.config file afterwards.

No. The error was a communications timeout. Not a "Not Found" response from a web server.

Do you have any kind of geographic based firewall? By chance limiting requests to only those originating from the USA?

Because I can readily see USA based requests getting through. But, none from the few non-USA countries I tested.


yes, we do geoblock most countries outside of the US. is this a new requirement? to open up for request from outside the US?

It has always been recommended to have port 80 open world-wide for the HTTP Challenge. In the past you could get away with blocking non-USA countries but this was only by luck. Let's Encrypt has long validated from both US and non-US countries.

The first two other threads linked to in the first reply to you explains the recent change and the technical details behind it.

While I think you should read those in total I think you will find this topic in the FAQ wiki a good start based on your other comment


Please read the linked articles in the first reply where the answers have been all along.


ok, thanks.