Unables to renew certificate one just one site

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
tdpickleball.org
I ran this command:
wacs --renew --baseuri "https://acme-v02.api.letsencrypt.org/"
It produced this output:
[www.tdpickleball.org] Authorizing...
[www.tdpickleball.org] Authorizing using http-01 validation (FileSystem)
Answer should now be browsable at http://www.tdpickleball.org/.well-known/acme-challenge/twJArJIi22Pn1oDWjKKBiy9SOx8DZoqdb1E1jOmqbLo
Preliminary validation failed, the server answered '(null)' instead of 'twJArJIi22Pn1oDWjKKBiy9SOx8DZoqdb1E1jOmqbLo.wQ3q8p4S_vZ0FLebw1vjtuPbqmCaJW7KrFcDyDtoY-0'. The ACME server might have a different perspective
[www.tdpickleball.org] Authorization result: invalid
[www.tdpickleball.org] {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "209.237.77.4: Invalid response from https://www.tdpickleball.org: "\ufeff\r\n<h"",
"status": 403

[www.tdpickleball.org] Deactivating pending authorization
[www.vanirbb.com] Deactivating pending authorization
[tdpickleball.org] Deactivating pending authorization
My web server is (include version):
IIS 10
The operating system my web server runs on is (include version):
Windows Server 2019
My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don't know):
no
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
win-acme 2.1.22.1289
Note that the rest of my sites all renew as expected on this server, only the one fails. When I use letsdebug.net it finds no issues.

Any particular reason you are using file system validation instead of self-hosting? The benefit of self-hosting is that the app will spin up a webserver (which shares port 80 with IIS) and handle the http challenge for you.

Otherwise you need IIS to handle the challenge response file properly (and not redirect to a 404 etc). This usually involves having the correct web.config rules to allow the http challenge request to pass through to the filesystem.

3 Likes

Could it be the HTTPS redirect in the web.config? I'm really not finding much that seems to be unusual in there...

It could if the redirect sent Let's Encrypt to a URL that did not resolve the challenge.

But, I see you just got a cert and your server is sending it out. Are you still having a problem?

I don't see that HTTP requests are redirecting to HTTPS but they normally should. That's not related to the certs. It's just something people usually configure in their servers. Would usually see a 301 or 302 redirect - not a 200 OK.

curl -I  http://tdpickleball.org
HTTP/1.1 200 OK
Server: Microsoft-IIS/10.0
Date: Sun, 21 Aug 2022 02:52:50 GMT
3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.