Sudden Renewal Errors - Win-ACME / NGINX

Help
1

Hello all. I've been renewing 2 certs manually for years now without issue, and suddenly it's no longer working. I'm using an old version of Win-ACME (wacs.exe). Wasn't broken, so never bothered updating. I see now that it's been replaced by Simple-ACME, which I tried migrating too with the same errors as below. My setup uses DDNS on my router (to both noip.com and duckdns.org), NGINX on a Windows 11 machine. I have router port forward 80 to the Windows 11 machine and Windows firewall port 80 for WACS.exe. My typical cert renewal flow is to turn off NGINX service (as renewal task fails when it's running), then manually renew certs in Win-ACME wacs.exe. Now I'm getting the below errors:

My domain is:
russplex.ddns.net, kajgassistant.duckdns.org

I ran this command: WACS.exe > R: Renew scheduled

It produced this output:
[INFO] Renewing certificate for [Manual] russplex.ddns.net
[INFO] Authorize identifier: russplex.ddns.net
[INFO] Authorizing russplex.ddns.net using http-01 validation (SelfHosting)
[EROR] {
"type": "urn:ietf:params:acme:error:connection",
"detail": "IP.IP.IP.IP Fetching http://russplex.ddns.net/.well-known/acme-challenge/SOME_KEY_REMOVED: Connection reset by peer",
"status": 400
}
[EROR] Authorization result: invalid
[EROR] Renewal for [Manual] russplex.ddns.net failed, will retry on next run
[INFO] Renewing certificate for [Manual] kajgassistant.duckdns.org
[INFO] Authorize identifier: kajgassistant.duckdns.org
[INFO] Authorizing kajgassistant.duckdns.org using http-01 validation (SelfHosting)
[EROR] {
"type": "urn:ietf:params:acme:error:connection",
"detail": "IP.IP.IP.IP: Fetching http://kajgassistant.duckdns.org/.well-known/acme-challenge/SOME_KEY_REMOVED: Connection reset by peer",
"status": 400
}
[EROR] Authorization result: invalid
[EROR] Renewal for [Manual] kajgassistant.duckdns.org failed, will retry on next run

My web server is (include version):
Using NGINX, not sure version.

The operating system my web server runs on is (include version):
Windows 11

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2

Checking http://russplex.ddns.net/.well-known/acme-challenge/test manually it seems to respond OK, but the error you are seeing is that when Let's Encrypt try much the same check they get their connection reset, which is usually a sign of a firewall or security product actively intervening.

You're using the win-acme "self-hosting" option, which means it uses it's own "HttpListener" via the windows http.sys feature to answer the http challenge on TCP port 80.

Recently though (last week) there was a problem with Windows Update which killed access to anything that runs an httplistener (and affected thousands of apps) so I think this might be the case here.

Running the latest Windows Updates and rebooting (or just rebooting if they are already applied) should fix it.

4 Likes
3

Thank you. This helped very much. I'm back up and running.

4 Likes
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.