We’ve had dozens of websites running on IIS in a webfarm configuration using Let’s Encrypt certificates for the past years and everything runs fine for the most part. Right now we are suffering from errors with certificate renewal. Renewal requests for specific domains get rejected all of a sudden, where they used to be renewed automatically in the past (scheduled task is in place). Many others work fine. I’ll go into one example below.
I’m unable to create a certificate for the domain encrypted.mypoiworld.com. This is actually a test domain for us, so very easy to play around with. The current certificate was created 6/26/2020 and is valid until 9/24/2020, so no real reason to renew just yet.
When I create the /.well-known/acme-challenge folder manually and put a file in it, I can retrieve it from the following url: http://encrypted.mypoiworld.com/.well-known/acme-challenge/test.txt
We use a central certificate store (due to our webfarm setup) so I test renewing the certificate using the following command:
wacs.exe --store centralssl --target iis --installation iis --host encrypted.mypoiworld.com --test
The output is:
A simple Windows ACMEv2 client (WACS)
Software version 220.127.116.111 (RELEASE, PLUGGABLE)
IIS version 10.0
Running with administrator credentials
Scheduled task not configured yet
Please report issues at https://github.com/PKISharp/win-acme
Running in mode: Unattended, Test
Target generated using plugin IIS: encrypted.mypoiworld.com
Authorize identifier: encrypted.mypoiworld.com
Authorizing encrypted.mypoiworld.com using http-01 validation (SelfHosting)
“detail”: “Invalid response from http://encrypted.mypoiworld.com/.well-known/acme-challenge/Xyq5JytkTPeIDELLmqKL3pCrVAMfHjC87bUttqXApsI [18.104.22.168]: " \n<html xmlns=\“http””,
Authorization result: invalid
Create certificate failed: Authorization failed
One thing that stands out for me, is that the acme challenge file doesn’t seem to be created.
NOTE: While writing this ticket all of a sudden the exact same request did succeed! So now the issue seems to be it sometimes fails but not always. I adjusted the title of the ticket accordingly.
Any ideas on what’s wrong here?