I have a SAN certificate (multiple domains). All bound to the same site in IIS (multi-domain redirect to main site), and the renewal process fails.
It checks 3 domains: all pass, then it tests a nkcss.net and it fails, it does .biz and it’s valid, then tries .info and fails.
The thing is: If I visit the url’s manually, they work. If I check the IIS logs; I see validation attempts for multiple domains from this list, but no requests are made for the nkcss.net and nkcss.info domains. They all share the same dns settings, so I don’t know what might be the matter.
I use “Let’s Encrypt Simple Windows Client” v1.9.3.0
Submitting answer
Authorization Result: valid
Deleting answer
Additional files exist in C:\inetpub\wwwroot\NKCSS\www.nkcss.com.well-known/acme-challenge/ not deleting.
Authorizing Identifier nkcss.net Using Challenge Type http-01
Renewal failed IISSiteServer 2,3,4 () Renew After 9/15/2017, will retry on next run
It seems the software gets a different kind of result back now in that it won’t proceed to run the list of domains anymore. Could use some help here.
All 3 domains resolve to the same IPs (that’s good and simple).
However all 3 domains have IPv4 and IPv6 addresses.
Today, LE prefers IPv6 over IPv4 and may also require “proper” CAA.
You may need to check that both are fully functional.
Here are some resources that may help with CAA: http://dnsviz.net/ https://dnssec-debugger.verisignlabs.com/ https://letsencrypt.org/docs/caa/
I’m leaning towards the IPv6 access being the problem.
