Sometimes can't create certificate for encrypted.mypoiworld.com

Hi

We’ve had dozens of websites running on IIS in a webfarm configuration using Let’s Encrypt certificates for the past years and everything runs fine for the most part. Right now we are suffering from errors with certificate renewal. Renewal requests for specific domains get rejected all of a sudden, where they used to be renewed automatically in the past (scheduled task is in place). Many others work fine. I’ll go into one example below.

I’m unable to create a certificate for the domain encrypted.mypoiworld.com. This is actually a test domain for us, so very easy to play around with. The current certificate was created 6/26/2020 and is valid until 9/24/2020, so no real reason to renew just yet.

When I create the /.well-known/acme-challenge folder manually and put a file in it, I can retrieve it from the following url: http://encrypted.mypoiworld.com/.well-known/acme-challenge/test.txt

We use a central certificate store (due to our webfarm setup) so I test renewing the certificate using the following command:
wacs.exe --store centralssl --target iis --installation iis --host encrypted.mypoiworld.com --test

The output is:
A simple Windows ACMEv2 client (WACS)
Software version 2.1.3.671 (RELEASE, PLUGGABLE)
IIS version 10.0
Running with administrator credentials
Scheduled task not configured yet
Please report issues at https://github.com/PKISharp/win-acme
Running in mode: Unattended, Test
Target generated using plugin IIS: encrypted.mypoiworld.com
Authorize identifier: encrypted.mypoiworld.com
Authorizing encrypted.mypoiworld.com using http-01 validation (SelfHosting)
{
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “Invalid response from http://encrypted.mypoiworld.com/.well-known/acme-challenge/Xyq5JytkTPeIDELLmqKL3pCrVAMfHjC87bUttqXApsI [217.114.111.67]: " \n<html xmlns=\“http””,
“status”: 403
}
Authorization result: invalid
Create certificate failed: Authorization failed

One thing that stands out for me, is that the acme challenge file doesn’t seem to be created.

NOTE: While writing this ticket all of a sudden the exact same request did succeed! So now the issue seems to be it sometimes fails but not always. I adjusted the title of the ticket accordingly.

Any ideas on what’s wrong here?

Best regards,
Raymond

Does your acme client know where your webroot is? Is your webserver running?

I don’t understand your question. The acme client runs on one of the webservers in the webfarm. The webfarm is always running. You can test the URL I provided.

Ok, the webserver is running. Now for the other question:

Does wacs.exe know where to write the challenge verification files so that they get served on .well-known/acme-challenge?

I suppose it derives the folder location from the website configuration in IIS. I’ve never had to configure anything in the past for this.

It looks like it does not use a webroot. My bad: https://www.win-acme.com/reference/plugins/validation/http/selfhosting

You should probably wait for someone more knowledgeable in the ways of windows or check here.

Actually that was a great tip! I never realized wacs.exe would launch a webserver itself just for verification purposes. That would explain why the verification sometimes succeeds and sometimes fails. It all depends on the webserver that will actually handle the verification request. If that would be the webserver wacs.exe runs on, verification will succeed. If another webserver in the farm would answer it, verification would fail.

I’ll have to look into this some more. Thanks for now!