Validation Failed on SAN cert for Exchange 2016

Using win-Acme to generate SAN cert for Exchange and I am receiving validation error below. I made sure the ports 80 and 443 were open and forwarded on my firewall.
How do I go about performing DNS validation of this?

A simple Windows ACMEv2 client (WACS)
Software version 2.1.20.1185 (release, trimmed, standalone, 64-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...
Scheduled task not configured yet
Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)
Running in mode: Unattended
Source generated using plugin Manual: mail.*****.com and 1 alternatives

Cached order has status invalid, discarding
[owa..com] Authorizing...
[owa.
.com] Authorizing using http-01 validation (SelfHosting)
[owa.us.com] Authorization result: pending
Create certificate failed: [owa.
.com] Validation failed
- No certificate generated

Before you switch to DNS validation it's worth understanding why your https validation is not working. DNS validation can be just a little more complicated than http validation and I don't know what providers win-acme supports (I develop https://certifytheweb.com - which is an alternative).

You may need to run your renewal in some sort of verbose/debug mode but if port 80 is definitely being forwarded to the correct server (this one) and there is nothing blocking/consuming port 80 it should just work. The most common reasons are port 80 is no longer open in Windows Firewall, or at the VM/cloud level, or the machine just needs a restart.

I'd also normally expect a slightly more detailed error message when validation fails.

2 Likes

thanks for your help. I moved on to a different DNS provider and trying to use API from Cloudflare and Acmv2 (cloudflare plugin)
Do I have to create any DNS records in Cloudflare? How can I get this to work please?
Any help would be greatly appreciated!
Thank You

Cached order has status pending, discarding
[autodiscover.thedasilvafamily-us.com] Authorizing...
[autodiscover.thedasilvafamily-us.com] Authorizing using dns-01 validation (Cloudflare)
Unable to find or contact authoritative name servers for _acme-challenge.autodiscover.thedasilvafamily-us.com: Query 14704 => com IN NS on 8.8.8.8:53 timed out or is a transient error.
[autodiscover.thedasilvafamily-us.com] Error preparing for challenge answer
Create certificate failed: [autodiscover.thedasilvafamily-us.com] Error preparing for challenge answer
- No certificate generated

2 Likes

The ACME CloudFlare DNS plugin (with proper API creds) should do all that work for you.

2 Likes

Do you have a firewall blocking outgoing connections? It's failing to query google dns servers to check your dns record.

2 Likes