Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: mattball.co.uk, home.mattball.co.uk, and mattball.mooo.com
I ran this command: WACS (Win-acme 2.2.9.1701)
It produced this output:
1: http (3 bindings)
Site identifier(s) or <Enter> to choose all: <Enter>
1: mattball.co.uk (Site 1)
2: home.mattball.co.uk (Site 1)
3: mattball.mooo.com (Site 1)
Listed above are the bindings found on the selected site(s). By default all
of them will be included, but you may either pick specific ones by typing the
host names or identifiers (comma-separated) or filter them using one of the
options from the menu.
P: Pick bindings based on a search pattern
R: Pick bindings based on a regular expression
A: Pick *all* bindings
Binding identifiers(s) or menu option: 1
1: mattball.co.uk (Site 1)
Continue with this selection? (y*/n) - yes
Friendly name '[IIS] (any site), mattball.co.uk'. <Enter> to accept or type desired name: <Enter>
By default your source identifiers are covered by a single certificate. But
if you want to avoid the 100 domain limit, want to prevent information
disclosure via the SAN list, and/or reduce the operational impact of a single
validation failure, you may choose to convert one source into multiple
certificates, using different strategies.
4: Single certificate
Would you like to split this source into multiple certificates?: 4
The ACME server will need to verify that you are the owner of the domain
names that you are requesting the certificate for. This happens both during
initial setup *and* for every future renewal. There are two main methods of
doing so: answering specific http requests (http-01) or create specific dns
records (dns-01). For wildcard identifiers the latter is the only option.
Various additional plugins are available from
https://github.com/win-acme/win-acme/.
Have tried both 2 and 9
2: [http] Serve verification files from memory
9: [tls-alpn] Answer TLS verification request from win-acme
How would you like prove ownership for the domain(s)?: <Enter>
After ownership of the domain(s) has been proven, we will create a
Certificate Signing Request (CSR) to obtain the actual certificate. The CSR
determines properties of the certificate like which (type of) key to use. If
you are not sure what to pick here, RSA is the safe default.
2: RSA key
What kind of private key should be used for the certificate?: <Enter>
When we have the certificate, you can store in one or more ways to make it
accessible to your applications. The Windows Certificate Store is the default
location for IIS (unless you are managing a cluster of them).
4: Windows Certificate Store (Local Computer)
How would you like to store the certificate?: <Enter>
3: [Default] - Use global default, currently WebHosting
Choose store to use, or type the name of another unlisted store: <Enter>
5: No (additional) store steps
Would you like to store it in another way too?: <Enter>
[VERB] Autofac: creating PluginFrontend<InstallationPluginOptions> scope with parent target
[VERB] Autofac: creating PluginFrontend<InstallationPluginOptions> scope with parent target
[VERB] Autofac: creating PluginFrontend<InstallationPluginOptions> scope with parent target
With the certificate saved to the store(s) of your choice, you may choose one
or more steps to update your applications, e.g. to configure the new
thumbprint, or to update bindings.
1: Create or update bindings in IIS
Which installation step should run first?: <Enter>
This plugin will update *all* binding using the previous certificate in both
Web and FTP sites, regardless of whether those bindings were created manually
or by the program itself. Therefor you'll never need to run this installation
step twice.
During initial setup, it will try to make as few changes as possible to IIS
to cover the source identifiers. If new bindings are needed, by default it
will create those at the same site where the HTTP binding for that host was
found.
Create new bindings in a different site? (y/n*) - no
3: No (additional) installation steps
Add another installation step?: <Enter>
[VERB] Constructing ACME protocol client...
[VERB] Getting service directory...
[DBUG] [HTTP] Send GET to https://acme-v02.api.letsencrypt.org/directory
[VERB] [HTTP] Request completed with status OK
[VERB] [HTTP] Response content: {
"5sQi4TwVJRk": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"profiles": {
"classic": "https://letsencrypt.org/docs/profiles#classic",
"shortlived": "https://letsencrypt.org/docs/profiles#shortlived",
"tlsclient": "https://letsencrypt.org/docs/profiles#tlsclient",
"tlsserver": "https://letsencrypt.org/docs/profiles#tlsserver"
},
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"renewalInfo": "https://acme-v02.api.letsencrypt.org/acme/renewal-info",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
[DBUG] Loading signer from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Signer_v2
[DBUG] Loading account from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Registration_v2
[VERB] Using existing ACME account
[DBUG] Using default account...
[VERB] Autofac: creating Execution scope with parent wacs
[VERB] Autofac: creating PluginBackend<ITargetPlugin> scope with parent Execution
[VERB] W3SVC detected and running
[VERB] No FTPSVC detected
[DBUG] Scanning IIS bindings for host names
[VERB] 3 named bindings found in IIS
[DBUG] Filtering based on binding type
[VERB] No site filter applied
[DBUG] Filtering by host: ^(mattball\.co\.uk)$
[VERB] 1 bindings remaining after host filter
[VERB] 1 matching binding found
[INFO] Plugin IIS generated source mattball.co.uk with 1 identifiers
[VERB] Autofac: creating Split scope with parent PluginBackend<ITargetPlugin>
[VERB] Autofac: creating PluginBackend<IOrderPlugin> scope with parent Split
[INFO] Plugin Single created 1 order
[VERB] Checking [IIS] (any site), mattball.co.uk
[VERB] Autofac: creating Order scope with parent PluginBackend<ITargetPlugin>
[VERB] Autofac: creating PluginBackend<ICsrPlugin> scope with parent order-main
[DBUG] Reading certificate cache
[DBUG] No cache files found for renewal
[VERB] Order Main should run (new/changed source)
[VERB] Obtain order details for Main
[DBUG] Refreshing cached order
[DBUG] Refreshing order...
[DBUG] [HTTP] Send HEAD to https://acme-v02.api.letsencrypt.org/acme/new-nonce
[VERB] [HTTP] Request completed with status OK
[VERB] [HTTP] Empty response
[DBUG] [HTTP] Send POST to https://acme-v02.api.letsencrypt.org/acme/order/1491669486/501142272921
[VERB] [HTTP] Request content: {"protected":"eyJhbGciOiJFUzI1NiIsInVybCI6Imh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL29yZGVyLzE0OTE2Njk0ODYvNTAxMTQyMjcyOTIxIiwibm9uY2UiOiJua3Eza2tzWmN4cWF4YVVqMmdrUmoxREVDOWNxSy1pSGx6SUQ2eDNVeF85UWxyWUxSOGMiLCJraWQiOiJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzE0OTE2Njk0ODYifQ","payload":"","signature":"8lN5Gs_A2Nnt_gSbhnqxewsKCZl7J0c4e40NtbnKIiogL9kQHeaAVZ64HVWXk5Gy0SQA3OUl2Xfi0tGBem7kfQ"}
[VERB] [HTTP] Request completed with status OK
[VERB] [HTTP] Response content: {
"status": "invalid",
"expires": "2026-04-23T02:05:08Z",
"identifiers": [
{
"type": "dns",
"value": "mattball.co.uk"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz/1491669486/688849310161"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1491669486/501142272921"
}
[WARN] Cached order has status invalid, discarding
[DBUG] Deleted C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Orders\fe1f768e776c6e28ca603943290832197b1b2464.order.json
[VERB] Creating order for identifiers: ["mattball.co.uk"] (notAfter: null, previous: [none])
[DBUG] [HTTP] Send POST to https://acme-v02.api.letsencrypt.org/acme/new-order
[VERB] [HTTP] Request content: {"protected":"eyJhbGciOiJFUzI1NiIsInVybCI6Imh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciIsIm5vbmNlIjoid04wV1hDcnh6MnRFZkFtc0pPdnZhQTFvd0NQcV8xN1FQWm8zbzlDUjliRVZCQ3lMN1VRIiwia2lkIjoiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNDkxNjY5NDg2In0","payload":"eyJpZGVudGlmaWVycyI6W3sidHlwZSI6ImRucyIsInZhbHVlIjoibWF0dGJhbGwuY28udWsifV19","signature":"9EQcOMWGfzVDQBZvhpouvJhpl2GXuEmJFI9A49LSmUD3xh9bmeWO1ZGoc5PP3nPrhPMCCy0KQqGE-HDUE0xHHw"}
[VERB] [HTTP] Request completed with status Created
[VERB] [HTTP] Response content: {
"status": "pending",
"expires": "2026-04-23T02:15:49Z",
"identifiers": [
{
"type": "dns",
"value": "mattball.co.uk"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz/1491669486/688853305011"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1491669486/501145090981"
}
[VERB] Order https://acme-v02.api.letsencrypt.org/acme/order/1491669486/501145090981 created
[DBUG] [HTTP] Send POST to https://acme-v02.api.letsencrypt.org/acme/authz/1491669486/688853305011
[VERB] [HTTP] Request content: {"protected":"eyJhbGciOiJFUzI1NiIsInVybCI6Imh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzE0OTE2Njk0ODYvNjg4ODUzMzA1MDExIiwibm9uY2UiOiJ3TjBXWENyeHR4Q29GNEJ3Uk5rTGk1MnNzUGVEOHdYOTBPclFSelBjTVlwNzBGeUZ5eUEiLCJraWQiOiJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzE0OTE2Njk0ODYifQ","payload":"","signature":"SP30sQMi_9gCsWEuP4MpM9rY7nZHhDMBKfCfq0ERrJmkNsj-_jqIp9bsPVFDLcMoXS3eQFofKr-pDmiHwkfCZA"}
[VERB] [HTTP] Request completed with status OK
[VERB] [HTTP] Response content: {
"identifier": {
"type": "dns",
"value": "mattball.co.uk"
},
"status": "pending",
"expires": "2026-04-23T02:15:49Z",
"challenges": [
{
"type": "dns-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/1491669486/688853305011/ZINcbA",
"status": "pending",
"token": "aUk8z1hkk1DiyF_3FtDsHgFDYWpTafERTEjakeURGLo"
},
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/1491669486/688853305011/raHauQ",
"status": "pending",
"token": "aUk8z1hkk1DiyF_3FtDsHgFDYWpTafERTEjakeURGLo"
},
{
"type": "tls-alpn-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/1491669486/688853305011/FBOnNQ",
"status": "pending",
"token": "aUk8z1hkk1DiyF_3FtDsHgFDYWpTafERTEjakeURGLo"
}
]
}
[VERB] Autofac: creating Target scope with parent PluginBackend<ICsrPlugin>
[VERB] Autofac: creating PluginFrontend<ValidationPluginOptions> scope with parent target
[VERB] W3SVC detected and running
[VERB] No FTPSVC detected
[VERB] Autofac: creating PluginBackend<IValidationPlugin> scope with parent PluginBackend<ICsrPlugin>
[VERB] Handle authorization 1/1
[VERB] Autofac: creating PluginBackend<IValidationPlugin> scope with parent PluginBackend<ICsrPlugin>
[INFO] [mattball.co.uk] Authorizing...
[VERB] [mattball.co.uk] Initial authorization status: pending
[VERB] [mattball.co.uk] Challenge types available: ["dns-01", "http-01", "tls-alpn-01"]
[VERB] [mattball.co.uk] Initial challenge status: pending
[INFO] [mattball.co.uk] Authorizing using http-01 validation (SelfHosting)
[VERB] Starting commit stage
[VERB] Commit was succesful
[DBUG] [mattball.co.uk] Submitting challenge answer
[DBUG] [HTTP] Send POST to https://acme-v02.api.letsencrypt.org/acme/chall/1491669486/688853305011/raHauQ
[VERB] [HTTP] Request content: {"protected":"eyJhbGciOiJFUzI1NiIsInVybCI6Imh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLzE0OTE2Njk0ODYvNjg4ODUzMzA1MDExL3JhSGF1USIsIm5vbmNlIjoibmtxM2trc1pud25iZkZQZXpxUG1TcTNVN2JaSmwwZHhVSzNqYXliTk9KamxVU1pZQWtZIiwia2lkIjoiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNDkxNjY5NDg2In0","payload":"e30","signature":"aKwMN5jLdYEBx2kykGt_aGYT3CMYcjyvoXeyXh9sZQICr-ZNVrFHd8JstZhuthKVPoXkey24BAmyXPgqkiAy7w"}
[VERB] [HTTP] Request completed with status OK
[VERB] [HTTP] Response content: {
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/1491669486/688853305011/raHauQ",
"status": "pending",
"token": "aUk8z1hkk1DiyF_3FtDsHgFDYWpTafERTEjakeURGLo"
}
[DBUG] Refreshing authorization (1/15)
[DBUG] [HTTP] Send POST to https://acme-v02.api.letsencrypt.org/acme/chall/1491669486/688853305011/raHauQ
[VERB] [HTTP] Request content: {"protected":"eyJhbGciOiJFUzI1NiIsInVybCI6Imh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLzE0OTE2Njk0ODYvNjg4ODUzMzA1MDExL3JhSGF1USIsIm5vbmNlIjoid04wV1hDcnhOYzVoYl9BMUZDbVNqTUQ1T08tNld3dndyMFMtMXV0VlB3NkdlWHJzT2pjIiwia2lkIjoiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNDkxNjY5NDg2In0","payload":"","signature":"gxU0clsynZPWkRqpCF4unybgxE-85GNCNKSo6yaXWqQ_eX0Wr-c-ihqzOrLC_eWfsTsCiFmIUgUflsZXQPzU1A"}
[VERB] [HTTP] Request completed with status OK
[VERB] [HTTP] Response content: {
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/1491669486/688853305011/raHauQ",
"status": "pending",
"token": "aUk8z1hkk1DiyF_3FtDsHgFDYWpTafERTEjakeURGLo"
}
[DBUG] Refreshing authorization (2/15)
[DBUG] [HTTP] Send POST to https://acme-v02.api.letsencrypt.org/acme/chall/1491669486/688853305011/raHauQ
[VERB] [HTTP] Request content: {"protected":"eyJhbGciOiJFUzI1NiIsInVybCI6Imh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLzE0OTE2Njk0ODYvNjg4ODUzMzA1MDExL3JhSGF1USIsIm5vbmNlIjoibmtxM2trc1p2YWI0MU9zLUlSQ0Q2eTlfc0pHcVE3MG0wOVR1ZnZLNmRtT3ktRzc3bF9BIiwia2lkIjoiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNDkxNjY5NDg2In0","payload":"","signature":"ClQHIq7ghz5kEn77SOJUOfU_rFxKm8i8tlCFoWcxs6Z_m_myxB3cFX4WiS4GLc4La2Esj4U8Rx0CUerusFFX6A"}
[VERB] [HTTP] Request completed with status OK
[VERB] [HTTP] Response content: {
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/1491669486/688853305011/raHauQ",
"status": "invalid",
"validated": "2026-04-16T02:15:49Z",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "62.64.147.173: Fetching http://mattball.co.uk/.well-known/acme-challenge/aUk8z1hkk1DiyF_3FtDsHgFDYWpTafERTEjakeURGLo: Timeout during connect (likely firewall problem)",
"status": 400
},
"token": "aUk8z1hkk1DiyF_3FtDsHgFDYWpTafERTEjakeURGLo",
"validationRecord": [
{
"url": "http://mattball.co.uk/.well-known/acme-challenge/aUk8z1hkk1DiyF_3FtDsHgFDYWpTafERTEjakeURGLo",
"hostname": "mattball.co.uk",
"port": "80",
"addressesResolved": [
"62.64.147.173"
],
"addressUsed": "62.64.147.173"
}
]
}
[EROR] [mattball.co.uk] Authorization result: invalid
[EROR] [mattball.co.uk] {"type":"urn:ietf:params:acme:error:connection","detail":"62.64.147.173: Fetching http://mattball.co.uk/.well-known/acme-challenge/aUk8z1hkk1DiyF_3FtDsHgFDYWpTafERTEjakeURGLo: Timeout during connect (likely firewall problem)","status":400,"instance":null}
[VERB] Starting post-validation cleanup
[VERB] Post-validation cleanup was successful
[INFO] [mattball.co.uk] Deactivating pending authorization
[DBUG] [HTTP] Send POST to https://acme-v02.api.letsencrypt.org/acme/authz/1491669486/688853305011
[VERB] [HTTP] Request content: {"protected":"eyJhbGciOiJFUzI1NiIsInVybCI6Imh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzE0OTE2Njk0ODYvNjg4ODUzMzA1MDExIiwibm9uY2UiOiJ3TjBXWENyeFN3TnV5RXFkNm9JemttTUZqVzlLN2xEV2hCOWhQZE4tOER2RVZDLUo5OXciLCJraWQiOiJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzE0OTE2Njk0ODYifQ","payload":"eyJzdGF0dXMiOiJkZWFjdGl2YXRlZCJ9","signature":"ZTF_G4kURBvAW3axUEk6fsMl9G9J19Sa9a4wOc2g9G0Ry4k3jSk44CLLhik99XCayVnLF1XOYXo9nEXd5TOQ-g"}
[VERB] [HTTP] Request completed with status OK
[VERB] [HTTP] Response content: {
"identifier": {
"type": "dns",
"value": "mattball.co.uk"
},
"status": "deactivated",
"expires": "2026-04-23T02:15:49Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/1491669486/688853305011/raHauQ",
"status": "invalid",
"validated": "2026-04-16T02:15:49Z",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "62.64.147.173: Fetching http://mattball.co.uk/.well-known/acme-challenge/aUk8z1hkk1DiyF_3FtDsHgFDYWpTafERTEjakeURGLo: Timeout during connect (likely firewall problem)",
"status": 400
},
"token": "aUk8z1hkk1DiyF_3FtDsHgFDYWpTafERTEjakeURGLo",
"validationRecord": [
{
"url": "http://mattball.co.uk/.well-known/acme-challenge/aUk8z1hkk1DiyF_3FtDsHgFDYWpTafERTEjakeURGLo",
"hostname": "mattball.co.uk",
"port": "80",
"addressesResolved": [
"62.64.147.173"
],
"addressUsed": "62.64.147.173"
}
]
}
]
}
Order 1/1 (Main): error Validation failed
Processing order 1/1: Main
My web server is (include version): IIS 10.0
The operating system my web server runs on is (include version): Win 11 Pro
My hosting provider, if applicable, is: Giganet
I can login to a root shell on my machine (yes or no, or I don't know): Windows / yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): not using certbot
So this previously used to work just fine.. I ran a Cisco ASA 5506 with ports open for 80/443, and semi restricted to the source IP's.
Every few months I'd "open" up the source ip ranges, run the Acme SSL process, renew, then lock down the IP's again. No big issue. I also export one cert to pfx to use in a 3rd party app.
Now I've replace the 5506 with a Cisco FPR1010 in ASA mode, so same setup. Manually configured the firewall, nothing fancy, have tried disabling threat detection, http is not inspected, shun disabled etc, and 80/443 are accessible as normal. I open up the "source ips" to all , run the acme updater, and this is the error I get, 400.
It's like LetsEncrypt just can't find my server.
Now I can't use DNS easily, as I have a dynamic ip address.
So my mattball.co.uk and home.mattball.co.uk point to mattball.mooo.com (cname), which is dynamically updated to my IP. Being a DDNS entry, I can't update dns for mooo.com as I don't own it.
Typically, my priority is to generate a cert (pfx) for mattball.mooo.com, and ideally get the rest resolved but I cannot for the life of me figure out what's going on. Have tried all options and variations within Win-Acme. Tried removing my 443 bindings and using option tls-alpn, still fails.
Tried save verification files on network path and copying them into the iis .well-known\acme-challenge etc...
Still get Timeout during connect (likely firewall problem)","status":400,"instance":null}
Oh and the fun part is, if I run --test, it works perfectly fine....!?!?!?!?
Grrrrrrrr I only spent 4-5 hours on it tonight, from 11pm to 3.30am... so i'm really really stumped!
I can confirm if I open my port 80/443 to "any", it's accessible from ANYWHERE. (vpns, remote clients and friends abroad can all access it okay etc)
Any thoughts anyone, before I have to trodge off and buy a bunch of SSLs?
Your thoughts and ideas are greatly appreciated.
Matt