SSL Expiring soon won't renew 404 403

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: kkpcnet.com

I ran this command: C:\wacs>wacs.exe --test --verbose --re
new --baseuri "https://acme-v02.api.letsencrypt.org/"

It produced this output: [VERB] Verbose mode logging enabled
[VERB] ExePath: C:\wacs\wacs.exe
[VERB] ResourcePath: C:\wacs
[VERB] PluginPath: C:\wacs
[VERB] Looking for settings.json in C:\wacs
[DBUG] Use existing configuration folder C:\ProgramData\win-acme
[DBUG] Use existing configuration folder C:\ProgramData\win-acme\acme-v02.api.l
etsencrypt.org
[DBUG] Use existing log folder C:\ProgramData\win-acme\acme-v02.api.letsencrypt
.org\Log
[DBUG] Use existing cache folder C:\ProgramData\win-acme\acme-v02.api.letsencry
pt.org\Certificates
[WARN] Unable to scan for services
[DBUG] secrets.json not found
[WARN] Found 3 files older than 120 days in C:\ProgramData\win-acme\acme-v02.ap
i.letsencrypt.org\Certificates, enable Cache.DeleteStaleFiles in settings.json t
o automatically delete these on each run.
[VERB] Arguments: --test --verbose --renew --baseuri https://acme-v02.api.letse
ncrypt.org/
[DBUG] Renewal period: 55 days
[VERB] Sending e-mails False

[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.1.23.1315 (release, pluggable, standalone, 64-bit)
[INFO] Connecting to https://acme-v02.api.letsencrypt.org/...
[DBUG] Send GET to https://acme-v02.api.letsencrypt.org/directory
[VERB] Request completed with status OK
[INFO] Connection OK!
[DBUG] Running with administrator credentials
[DBUG] IIS version 7.5
[WARN] Scheduled task not configured yet
[INFO] Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)
[VERB] Unicode display test: Chinese/語言 Russian/язык Arab/لغة
[VERB] Checking renewals

[VERB] Source converted into 1 order(s)
[VERB] Checking Exch KKPCNET.COM
[DBUG] Reading certificate cache
[VERB] v3 cache key not found, fall back to v2
[VERB] Main: previous thumbprint 4884AF0FEBC751025C58257E312FFE9FB714795B
[VERB] Main: previous expires 2023/2/5 9:58:19
[VERB] Main: no historic success found
[VERB] Main: latest due date 2023/1/23 16:22:37
[VERB] Main: earliest due date 2023/1/23 16:22:37
[VERB] Main: less than a day left
[VERB] Order Main should run: True
[INFO] Renewing Exch KKPCNET.COM
[DBUG] Previous certificate found at C:\ProgramData\win-acme\acme-v02.api.letse
ncrypt.org\Certificates\zksW8foYcEyYO8u7oLDaAQ-a3ee6014c5f4e30b8a49fd7a530802af4
1005480-temp.pfx
[DBUG] Reading certificate cache
[VERB] v3 cache key not found, fall back to v2
[VERB] Obtain order details for Main
[DBUG] Refreshing cached order
[DBUG] Refreshing order...
[VERB] Constructing ACME protocol client...
[VERB] Getting service directory...
[DBUG] Send GET to https://acme-v02.api.letsencrypt.org/directory
[VERB] Request completed with status OK
[DBUG] Loading signer from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org
\Signer_v2
[DBUG] Loading account from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.or
g\Registration_v2
[VERB] Using existing ACME account
[VERB] ACME client initialized
[DBUG] Send HEAD to https://acme-v02.api.letsencrypt.org/acme/new-nonce
[VERB] Request completed with status OK
[DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/order/60918288/16
0593348167
[VERB] Request completed with status OK
[WARN] Cached order has status invalid, discarding
[VERB] Creating order for hosts: ["DnsName: kkpcnet.com", "DnsName: autodiscove
r.kkpcnet.com", "DnsName: desktop.kkpcnet.com", "DnsName: mail.kkpcnet.com"]
[DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/new-order
[VERB] Request completed with status Created
[VERB] Order https://acme-v02.api.letsencrypt.org/acme/order/60918288/160594518
557 created
[DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/authz-v3/19766401
5637
[VERB] Request completed with status OK
[DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/authz-v3/19766401
5647
[VERB] Request completed with status OK
[DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/authz-v3/19766401
5657
[VERB] Request completed with status OK
[DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/authz-v3/19766401
5667
[VERB] Request completed with status OK
[VERB] Adding 8.8.8.8 as DNS server
[VERB] Adding 1.1.1.1 as DNS server
[VERB] Adding 8.8.4.4 as DNS server
[VERB] Handle authorization 1/4
[INFO] [autodiscover.kkpcnet.com] Authorizing...
[VERB] [autodiscover.kkpcnet.com] Initial authorization status: pending
[VERB] [autodiscover.kkpcnet.com] Challenge types available: ["http-01", "dns-0
1", "tls-alpn-01"]
[VERB] [autodiscover.kkpcnet.com] Initial challenge status: pending
[INFO] [autodiscover.kkpcnet.com] Authorizing using http-01 validation (SelfHos
ting)
[VERB] Starting commit stage
[VERB] Commit was succesful
[DBUG] [autodiscover.kkpcnet.com] Submitting challenge answer
[DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/chall-v3/19766401
5637/97gGUw
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (1/5)
[DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/chall-v3/19766401
5637/97gGUw
[VERB] Request completed with status OK
[EROR] [autodiscover.kkpcnet.com] Authorization result: invalid
[EROR] [autodiscover.kkpcnet.com] {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "73.204.78.230: Invalid response from http://autodiscover.kkpcnet.co
m/.well-known/acme-challenge/sopk3OTjQLfmvVZ0ozRXEtHbGAOThaugvTIR09Mqy3s: 404",
"status": 403
}
[VERB] Starting post-validation cleanup
[VERB] Post-validation cleanup was succesful
[INFO] [autodiscover.kkpcnet.com] Deactivating pending authorization
[DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/authz-v3/19766401
5637
[INFO] [desktop.kkpcnet.com] Deactivating pending authorization
[INFO] [kkpcnet.com] Deactivating pending authorization
[INFO] [mail.kkpcnet.com] Deactivating pending authorization
[VERB] Request completed with status OK
[DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/authz-v3/19766401
5647
[VERB] Request completed with status OK
[DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/authz-v3/19766401
5657
[VERB] Request completed with status OK
[DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/authz-v3/19766401
5667
[VERB] Request completed with status OK
[VERB] Order 1/1 (Main): error Validation failed
[VERB] Processing order 1/1: Main
[EROR] Renewal for Exch KKPCNET.COM failed, will retry on next run

[--test] Quit? (y*/n) - yes

[VERB] Exiting with status code -1

My web server is (include version): Internet Information Services 7.5 (IIS 7.5)

The operating system my web server runs on is (include version): Server 2008 R2

My hosting provider, if applicable, is: Self

I can login to a root shell on my machine (yes or no, or I don't know): I don't know. If by Root Shell you mean Cmd.exe or Powershell yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): IIS

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Win-Acme v2.1.23.1315

Hi @Wirelessnutt,

The "self-hosting" feature in WACS is apparently what we call "standalone" in Certbot:

That is, the WACS software is starting its own temporary listener on port 80 to receive validation connections from the certificate authority.

It looks like the certificate authority instead reached your IIS server on that port, which didn't know how to respond to the validation challenge. The WACS documentation says that it can sometimes share port 80 with IIS, but I guess it didn't manage to do so in this case?

I'm not sure what the best way to remedy this is (a different validation method? temporarily stopping IIS? changing permissions or configuration somewhere so that IIS can actually share the port with WACS?), but this seems to be why the renewal failed.

I'm also not sure why the original certificate issuance would have succeeded but the renewal would have failed. Can I assume you're running WACS directly on the same machine where IIS is listening to inbound connections from the Internet? You said you have IIS 7.5, but when I connect to your server, it sends the header

Server: Microsoft-IIS/10.0

which makes me wonder if there could be multiple web servers involved in your hosting setup and you could be running WACS on one where it can't directly receive the challenges from the certificate authority.

4 Likes

Thanks schoen, there was a new server setup here within the last 90 days, and I had port 80 directed there on one of the routers and that is why you found IIS 10.0 . That was the tip that I needed. Thanks!

5 Likes