Server 2012 - Renewal of LetsEncrypt Cert Fails

Original cert created using Win-acme 1.9.9.0
All certs have expired since 3/2019 for development environment.
Tried to renew today. Following errors.

[INFO] Renewing certificate for rds.xxx.com
[INFO] Authorize identifier: rds.xxx.com
[INFO] Authorizing rds.xxx.com using http-01 validation (SelfHosting)
[INFO] Answer should now be browsable at http://rds.xxx.com/.well-known/acme-challenge/XpsULdNdkiennJIDlIAm-diEgl3CmB5nlZAFq-z0HAo
[EROR] Authorization result: invalid
[EROR] NullReferenceException: Object reference not set to an instance of an object.
[EROR] Renewal for rds.xxx.com failed, will retry on next run
[INFO] Renewing certificate for rds.xxx.com
[INFO] Authorize identifier: rds.xxx.com
[INFO] Authorizing rds.xxx.com using http-01 validation (SelfHosting)
[INFO] Answer should now be browsable at http://rds.xxx.com/.well-known/acme-challenge/l9jLBeDIY7LOzdgEqyPgj9dAnfCMhYB8wnU_Ls0DsT0
[EROR] Authorization result: invalid
[EROR] NullReferenceException: Object reference not set to an instance of an object.
[EROR] Renewal for rds.xxx.com failed, will retry on next run

Is there a log which might tell me where the errors can be found. “Authorization result
invalid” looks like a good place to start.

Cool site

1 Like

This sounds like a software issue in the client to me in the first place. And that error results in an invalid authorization.

Are you running the latest release of win-acme? Currently, it's already at 2.1.2.641.

1 Like

Thanks for the comment. I’ve tried three versions of win-acme, (1.9.9.0, 2.0.4.227, and 2.1.2.641).
None worked. Odd thing is the original did work.

I’ve spent almost a day working on this. Seems like it should be easier.

I ended up creating a self-signed cert, and everything is working now. I will return to this
soon. Cheers

1 Like

Do all of these generate the NullReferenceException? If so, I would suggest making a bugreport on the win-acme github issue page.

1 Like

Hi @mm_coder

you have to use the newest version. Letsencrypt had some code changes (GET -> POST), so an older client can't work.

The code changes were later, so that "old working" can't longer work.

If you want help, please answer all of the following questions:


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like

As I've already posted earlier, 2.1.2.641 is the most recent version.

Thanks for taking a look.
Server 2012
Hosting Provider : Rackspace
Domain: allnaturalstone.com

Running non-production RDS Server Farm:…trying to move to production.
Last successful cert generation, I used 1.9.9.0 which installed certificates on IIS.
Then I exported the certificate into a .pfx, then applied to my RDS Gateway, Broker etc
Certificate expired 3/2019

One comment. My original certificate had a mismatch against the IIS server,
which I corrected running a script to change fqdn on my IIS.
More details here:
https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80

[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.1.2.636 (RELEASE, PLUGGABLE)
[INFO] IIS version 8.5
[INFO] Running with administrator credentials
[WARN] Scheduled task not configured yet
[INFO] Please report issues at https://github.com/PKISharp/win-acme

N: Create new certificate (simple for IIS)
M: Create new certificate (full options)
L: List scheduled renewals
R: Renew scheduled
S: Renew specific
A: Renew all
O: More options…
Q: Quit

Please choose from the menu: n

[INFO] Running in mode: Interactive, Simple

Please select which website(s) should be scanned for host names. You may
input one or more site identifiers (comma separated) to filter by those
sites, or alternatively leave the input empty to scan all websites.

1: Default Web Site (1 binding)

Site identifier(s) or to choose all: 1

1: rds.allnaturalstone.com (Site 1)

You may either choose to include all listed bindings as host names in your
certificate, or apply an additional filter. Different types of filters are
available.

1: Pick specific bindings from the list
2: Pick bindings based on a search pattern
3: Pick all bindings

How do you want to pick the bindings?: 3

1: rds.allnaturalstone.com (Site 1)

Continue with this selection? (y*/n) - yes

[INFO] Target generated using plugin IIS: rds.allnaturalstone.com
[INFO] Authorize identifier: rds.allnaturalstone.com
[INFO] Authorizing rds.allnaturalstone.com using http-01 validation (SelfHostin
)
[EROR] Authorization result: pending
[EROR] Create certificate failed: Authorization failed

N: Create new certificate (simple for IIS)
M: Create new certificate (full options)
L: List scheduled renewals
R: Renew scheduled
S: Renew specific
A: Renew all
O: More options…
Q: Quit

Please choose from the menu:

1 Like

Checking your domain that can't work, there is a timeout - https://check-your-website.server-daten.de/?q=rds.allnaturalstone.com

Domainname Http-Status redirect Sec. G
http://rds.allnaturalstone.com/
161.47.37.172 -14 10.024 T
Timeout - The operation has timed out
http://www.rds.allnaturalstone.com/ 162.241.238.178 No GZip used - 326 / 447 - 72,93 % possible 200 Html is minified: 105,67 % 0.257 H
https://rds.allnaturalstone.com/ 161.47.37.172 -14 10.034 T
Timeout - The operation has timed out
https://www.rds.allnaturalstone.com/ 162.241.238.178 No GZip used - 326 / 447 - 72,93 % possible
Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 200 Html is minified: 105,67 % 4.690 B
http://rds.allnaturalstone.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 161.47.37.172 -14 10.040 T
Timeout - The operation has timed out
Visible Content:

The first and the last row is critical. Using http validation -> a working port 80 is required.

Do you have a port 80 binding? Is there a firewall?

Works http internal?

curl http://www.rds.allnaturalstone.com/.well-known/acme-challenge/1234

should show a http status 404 - Not Found.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.