The Let's Encrypt certificate renewal has failed. We are using WACS for automatic certificate renewal on our IIS server, but the renewal was unsuccessful. The firewall policy restricts access to port 80 based on source IP, and our DNS provider does not support DNS API. Since our firewall is controlled globally and we are unable to modify the policy, may I know if you have any alternative methods to update the certificate? Thanks!
If you can't control the responses on port 80, or control what your DNS server returns, then from an external viewpoint you don't actually control the domain name (and perhaps your certificates should instead be acquired by someone else who does).
If you can't dynamically update your DNS, but you can convince whoever does control it to add records for you manually if you ask nicely, then maybe you can have them add a NS record for _acme-challenge to delegate it to a server you control (with port 53 globally accessible) that runs acme-dns which is a special-purpose DNS server just for replying to challenges.
Also, you might want to know there is a proposal called DNS-PERSIST-01 working its way through the various powers that be to allow for a single manual DNS entry to just stay there indefinitely in order to validate control. Let's Encrypt said in a recent blog post that they hope to implement it this year.
3 Likes
As peters suggests you can delegate to a DNS zone you do control that has an API (one technique is to NS a subdomain to a zone hosted on AWS Route 53 for instance, then use that API), or if you do have manual control over DNS you could temporarily use Manual DNS validation and create the TXT records yourself.
If you don't have that level of access to DNS then you would need whoever does to issue the certs for you and make them available for use. One of the most flexible methods with IIS is to use CCS (centralized certificate store), where you can just copy the latest cert to a share and have IIS pick it up from there.
3 Likes