"The ACME server was probably unable to reach". No requests in my IIS log; when I check manually, it works

I have a SAN certificate (multiple domains). All bound to the same site in IIS (multi-domain redirect to main site), and the renewal process fails.

It checks 3 domains: all pass, then it tests a nkcss.net and it fails, it does .biz and it’s valid, then tries .info and fails.

The thing is: If I visit the url’s manually, they work. If I check the IIS logs; I see validation attempts for multiple domains from this list, but no requests are made for the nkcss.net and nkcss.info domains. They all share the same dns settings, so I don’t know what might be the matter.

I use “Let’s Encrypt Simple Windows Client” v1.9.3.0

Thanks in advance;

Nick Kusters.

So weird… the .info domain started to validate now, but the .net remains to not authorize.

And now they all validate… so weird.

Never mind, it just dies now…

Submitting answer
Authorization Result: valid
Deleting answer
Additional files exist in C:\inetpub\wwwroot\NKCSS\www.nkcss.com.well-known/acme-challenge/ not deleting.
Authorizing Identifier nkcss.net Using Challenge Type http-01
Renewal failed IISSiteServer 2,3,4 () Renew After 9/15/2017, will retry on next run

It seems the software gets a different kind of result back now in that it won’t proceed to run the list of domains anymore. Could use some help here.

Which version of IIS?

All 3 domains resolve to the same IPs (that’s good and simple).
However all 3 domains have IPv4 and IPv6 addresses.
Today, LE prefers IPv6 over IPv4 and may also require “proper” CAA.
You may need to check that both are fully functional.
Here are some resources that may help with CAA:

I’m leaning towards the IPv6 access being the problem.

You indeed have IPv6 issues.

You will need to correct or remove the AAAA records to complete validation.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.