Ssl cert for iis server behind firewall not accessible from internet

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain

I ran this command: wacs.exe

It produced this output: Source generated using plugin IIS:

Cached order has status invalid, discarding
[] Authorizing...
[] Authorizing using http-01 validation (SelfHosting)
[] Authorization result: invalid
[] {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": " Invalid response from 403",
"status": 403
[] Deactivating pending authorization

My web server is (include version): Windows IIS 10

The operating system my web server runs on is (include version): Windows Server 2013 Std

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): No

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): IIS manager

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi @alby, and welcome to the LE community forum :slight_smile:

That's a new one for me!

Does the HTTP site work from the Internet?
If so, can you create the challenge path and place a test text file in that location; So that we can see if it can be accessed from the Internet.
[make sure NOT to use any extension on the file OR place two files (one with no extension and one with .txt extension)]

What is this about?:

curl -Ii
HTTP/1.1 302 Found
Date: Wed, 15 Feb 2023 18:29:46 GMT
Server: Apache
X-XSSProtection: 1; mode=block
X-Content-Type-Options: nosniff
Cache-Control: max-age=0
Expires: Wed, 15 Feb 2023 18:29:46 GMT
Content-Type: text/html; charset=iso-8859-1

Hi RG305, No the web server is not accessible from the internet. It is solely an internal website, it our Intranet. I have to have it secured for PCI compliance. As far as the "Unknown Hostname" location response they are our Ecommerce Web Store which has ben acquired bi Billtrust. I am not sure why that is coming up, it sometimes shows up when I try to browse to my Intranet using the FQDN.

The only Challenge Types - Let's Encrypt that will work for you is DNS-01, but from here you are using HTTP-01 challenge.


Global DNS is resolving that name to their IP.


Yes the resoution is to use a DNS challenge instead of http as @Bruce5051 says. Note that if you do use DNS validation you can also acquire your cert on any machine/server you like, then deploy the certificate to your intranet (either manually or scripted etc).


Sorry for the delay I got stuck on a different project. When I run the WACS.exe I think it's hitting my domain server and not where my domain name is hosted. Can I run the command from a computer that resides out side of my company and then move the cert to my intranet server?

Only if using DNS-01 authentication.
For HTTP-01 authentication, you should run it on the same system OR you might be able to run it in manual mode and place the challenge file in the server yourself.


OK I am still having an issue, I setup the txt challange record on When I use mxtoolbox I
can see the txt record but when I run the script it does not find it and returns "Preliminary validation failed: no TXT records found The correct record has not yet been found by the local resolver." Why can mxtoolbox see the record but WACS cannot.

"Preliminary validation" suggests that WACS is trying to resolve the TXT record itself before it'll instruct the LE validation server to validate it. This could be due to incorrect DNS settings in WACS perhaps?


I don't know how or if WACS does a preliminary check. But, Let's Encrypt server won't see your TXT record either.

You have incorrect config of your DNS.

And, use unboundtest to check the TXT record. It uses similar method to how Let's Encrypt servers chase the DNS tree. And, right now it does not see it.


Can you show us these steps?:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.