Too many failed authorizations recently and alternate verification port

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cc.johnsonkraeuter.com

I ran this command:
"C:\Tech\Lets Encrypt\wacs.exe" --renew --baseuri "https://acme-v02.api.letsencrypt.org/"

It produced this output:
Port 80 became blocked, and so when the task attempted to run, it was never successful. The site runs off of ONLY 443 though, so nobody noticed. The certificate was expired, and port 80 was not available, so I tried adding "--validationport 8080" to try and get it to work through that port, but the renewal was in error, so I cancelled it. I hope I can regenerate it soon and get this working again. Or, do I need to do something else yet?

I'd really prefer to do DNS validation, but I'd have to do it manually to start with, and it sounds like that precludes auto-renewals, is that correct?

If I used GoDaddy, would it work only for domains hosted there?

Thanks in advance!

My web server is (include version): IIS on server '19

The operating system my web server runs on is (include version): Windows Server '19

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes, administrative login to everything

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
PS C:\Tech> & '.\Lets Encrypt\wacs.exe' --version

A simple Windows ACMEv2 client (WACS)
Software version 2.1.21.1218 (release, pluggable, standalone, 32-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...
Scheduled task arguments do not match with expected value
Scheduled task exists but does not look healthy
Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)

The baseline requirements which Let's Encrypt has to adhere to require to use port 80 only for the HTTP-01 challenge. Therefore you won't be able to choose a different port with this challenge. The --validationport option is intended to be used when you have an internal redirect to a different port (by a reverse proxy for example) and does not influence the ACME challenge.

Depending how WACS currently handles challenges, you may be able to switch to the TLS-ALPN-01 challenge. This challenge runs entirely over port 443, but WACS requires exclusive access to port 443 for this to work (according to documentation). So you can't have a webserver running on 443 during validation.

Indeed, a third choice would be to switch to the DNS-01 challenge. If you are performing manual challenges, you will have to do them manual every time - including renewals.

Automating it requires your ACME client to add (and remove) DNS TXT records by itself. This is usually done by integrating with a DNS provider with API access. WACS appears to support a number of DNS providers via plugins: DNS validation - WIN-ACME. There appears to be a plugin for GoDaddy, bu I have no experience with any of that.

There are different plugins available for various DNS providers. There is also the option to delegate the DNS challenge to a different DNS zone, which may be hosted on a different provider. For example, you can self-host a DNS server that only handles ACME DNS challenges and delegate the DNS validation TXT record (_acme-challenge) there via a CNAME. Software like acme-dns use this method.

4 Likes