Unable to renew the certificate using win-acme

Hi Everyone

I have the issue on the renew of Let's encrypt domain.
I cannot renew the certificate using win-acme.

My domain is: sgrdgw.gerp.work

There are 2 certificates on the IIS somehow. The name of the certificates are same "sgrdgw.gerp.work"
The deadline of the one is 10th Oct 2022 but the other is 4th Oct 2022. The later one seems expired.
Previously we did renew both of them , using below cmd. For this time , we didn’t renew successfully.

I ran this command:
\win-acme.v2.0.5.246\wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"
\win-acme.v2.0.5.246\wacs.exe --renew --baseuri "https://acme-staging-v02.api.letsencrypt.org/directory"
I have tried the "Renew Specific"

It produced this output:
[INFO] Renewing certificate for [Manual] sgrdgw.gerp.work
[WARN] First chance error calling into ACME server, retrying with new nonce...
[INFO] Authorize identifier: sgrdgw.gerp.work
[INFO] Authorizing sgrdgw.gerp.work using http-01 validation (SelfHosting)
[EROR] Authorization timed out
[EROR] Renewal for [Manual] sgrdgw.gerp.work failed, will retry on next run
[INFO] Renewing certificate for [Manual] sgrdgw.gerp.work
[INFO] Authorize identifier: sgrdgw.gerp.work
[INFO] Authorizing sgrdgw.gerp.work using http-01 validation (SelfHosting)
[EROR] Authorization timed out
[EROR] Renewal for [Manual] sgrdgw.gerp.work failed, will retry on next run

My web server is (include version): IIS 10.0.14393.0
The operating system my web server runs on is (include version):WindowsServer-2016
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):win-acme.v2.0.5.246

Hi @hiroaki, and welcome to the LE community forum

I'd try updating to the latest win-acme version [2.1.22.2].

Hi @rg305

Thanks for your support.
I have downloaded the win-acme 2.1.22 and tried to renew the certificate but it didn’t work.

It seems that the below error shows.

Please choose from the menu: R

Renewing [Manual] sgrdgw.gerp.work
Cached order has status pending, discarding
[sgrdgw.gerp.work] Authorizing...
[sgrdgw.gerp.work] Authorizing using http-01 validation (SelfHosting)
[sgrdgw.gerp.work] Authorization result: invalid
[sgrdgw.gerp.work] {
"type": "urn:ietf:params:acme:error:connection",
"detail": "153.254.112.181: Fetching http://sgrdgw.gerp.work/.well-known/acme-challenge/o4hqdr6_eZ1tTpM-x8UGHfF5tdaccZwzjjEF6TYEBWI: Timeout during connect (likely firewall problem)",
"status": 400
}
[sgrdgw.gerp.work] Deactivating pending authorization
Renewal for [Manual] sgrdgw.gerp.work failed, will retry on next run

Renewing [Manual] sgrdgw.gerp.work
Cached order has status invalid, discarding
[sgrdgw.gerp.work] Authorizing...
[sgrdgw.gerp.work] Authorizing using http-01 validation (SelfHosting)
[sgrdgw.gerp.work] Authorization result: invalid
[sgrdgw.gerp.work] {
"type": "urn:ietf:params:acme:error:connection",
"detail": "153.254.112.181: Fetching http://sgrdgw.gerp.work/.well-known/acme-challenge/Gjo0XT4db_0tpfE3hZt8CcfMD8_QGg1rGyGGtRDeeYY: Timeout during connect (likely firewall problem)",
"status": 400
}
[sgrdgw.gerp.work] Deactivating pending authorization
Renewal for [Manual] sgrdgw.gerp.work failed, will retry on next run

It looks like just what the message says and you have some sort of firewall blocking access by the Let's Encrypt servers. They need to make HTTP requests to your server to satisfy the HTTP Challenge you are using.

The Let's Debug test site is often helpful. It reports the same problem about timeout

If you get a successful test on Let's Debug you should be able to get a certificate

Hi @MikeMcQ

Thank you for your note.
I'm looking at the firewall setting but it seems the connection is allowed to sgrdgw.gerp.work server via 80,443. Could you let me know from which IP should be accepted?

Best regards,
Kawai

See:

Sorry for my late reply.
We renewed the certificate using dns-01 method not http-01 successfully.

I don't know why the httpd-01 didn't go well. But it got back to the normal status as of now.
Thanks for your support.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.