My domain is: thomsclan.com
I ran this command: wacs.exe
R: Run renewals (1 currently due)
It produced this output:
Plugin Manual generated source mail.thomsclan.com with 4 identifiers
Plugin Single created 1 order
Error getting renewal information from server
Renewing [Manual] mail.thomsclan.com
First chance error calling into ACME server, retrying with new nonce...
Cached order has status invalid, discarding
[autodiscover.thomsclan.com] Authorizing...
[autodiscover.thomsclan.com] Authorizing using http-01 validation (SelfHosting)
[autodiscover.thomsclan.com] Authorization result: invalid
[autodiscover.thomsclan.com] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"166.254.84.164: Invalid response from http://autodiscover.thomsclan.com/.well-known/acme-challenge/YjRvsf_XSMiPPyVpcVmQ2MeMd7HZrtzxUbZW0XNGtzo: 404","status":403,"instance":null}
[autodiscover.thomsclan.com] Deactivating pending authorization
[mail.thomsclan.com] Deactivating pending authorization
[mail3.thomsclan.com] Deactivating pending authorization
[thomsclan.com] Deactivating pending authorization
Renewal for [Manual] mail.thomsclan.com failed, will retry on next run
Validation failed
No certificate generated
My web server is (include version): Exchange 15.1
The operating system my web server runs on is (include version): Windows 2016 ver 1607
My hosting provider, if applicable, is: n/a
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Welcome @shanethoms
Did you recently make changes to your DNS and/or public IP?
Because I don't see an A record for thomsclan.com. While all the other 3 have an A record with the same IP address.
That doesn't explain why autodiscover subdomain fails. Unless the IP is no longer correct.
But, thomsclan.com will definitely fail authorization without an A record. Sometimes we learn about one problem while fixing another. You couldn't have gotten your last cert with this missing A record.
3 Likes
Here is a list of issued certificates crt.sh | thomsclan.com, the latest being 2025-01-30.
And these are the matching identities autodiscover.thomsclan.com, mail3.thomsclan.com, mail.thomsclan.com, and thomsclan.com for recent certificates. Assuming that is what you are wishing to renew and using the HTTP-01 challenge each one of them must have an IP Address (IPv4 and/or IPv6).
And here is what I see for DNS
Are you using the win-acme self-hosting option? [Edit, yes you are it says it in the log] Maybe try a reboot as normally that will work OK.
Rebooted the server first thing. 
No joy.
Rebooted the router. No joy.
1 Like
I was on the same thought, so was playing with DNS after I posted. In hindsight, dumb to do after asking for help. IP if fixed from Verizon, FTP and other services are working so the IP, port forwarding,... should all be ok.
Reset everything back at Name.com:
2 Likes
The "404" in the error from Let's Encrypt means your server replied with an http "404 Not Found" to the HTTP challenge.
With the standalone wacs option it should be replying to these requests. I am not expert enough with Windows servers / wacs to say much more. Perhaps someone else here will or try their github. It probably won't help this problem but you may want to consider changing to simple-acme. See the first issue at the win-acme github: GitHub · Where software is built
I do suggest running with "--verbose" option to see if further info is displayed.
2 Likes
I had a port 80 forwarding rule, to my IIS/File server. Removed it.
I also disabled the firewall on the Exchange server. (running WACS)
Tried again:
Plugin Manual generated source mail.thomsclan.com with 4 identifiers
Plugin Single created 1 order
Error getting renewal information from server
Renewing [Manual] mail.thomsclan.com
Cached order has status invalid, discarding
[autodiscover.thomsclan.com] Authorizing...
[autodiscover.thomsclan.com] Authorizing using http-01 validation (SelfHosting)
[autodiscover.thomsclan.com] Authorization result: invalid
[autodiscover.thomsclan.com] {"type":"urn:ietf:params:acme:error:connection","detail":"166.254.84.164: Fetching http://autodiscover.thomsclan.com/.well-known/acme-challenge/NIquk6RpiiLStneEapUptZxoznQObwl93ZtptxA7t3o: Timeout during connect (likely firewall problem)","status":400,"instance":null}
[autodiscover.thomsclan.com] Deactivating pending authorization
[mail.thomsclan.com] Deactivating pending authorization
[mail3.thomsclan.com] Deactivating pending authorization
[thomsclan.com] Deactivating pending authorization
Renewal for [Manual] mail.thomsclan.com failed, will retry on next run
Validation failed
No certificate generated
Different error, so on to something??
Did you add a port 80 forwarding rule to the server running WACS?
1 Like
No, I just turned off the Windows firewall.
Thinking I can undo one then the other to see when the error changes back?
Or should I forward 80 to the Exchange server, on the router?
Yes, the inbound HTTP request on port 80 has to be sent to the server running WACS.
Send it to Exchange server if running there . Or, restore the setting for port 80 to your IIS server and run WACS on that server. Then copy the cert to Exchange server after.
It seems more sensible to run WACS on your IIS server as that typically handles port 80 and redirects to port 443 (HTTPS).
How did you have this setup before? Which part(s) are new? Something in your configuration must have changed since you last got a good cert.
4 Likes
Updated router forwarding, 80 to Exchange, and it worked. I must have had that record in when I started LetsEncrypt, and moved it for the IIS server at some point. Well over a month ago...
Thanks to everyone that helped, and thank you to @MikeMcQ for leading my blind @$$ to the solution.
1 Like
Everything is working/flowing now, but I see two errors at the bottom. Should I be concerned?
Plugin Manual generated source mail.thomsclan.com with 4 identifiers
Plugin Single created 1 order
Error getting renewal information from server
Renewing [Manual] mail.thomsclan.com
First chance error calling into ACME server, retrying with new nonce...
Cached order has status invalid, discarding
[autodiscover.thomsclan.com] Authorizing...
[autodiscover.thomsclan.com] Authorizing using http-01 validation (SelfHosting)
[autodiscover.thomsclan.com] Authorization result: valid
[mail.thomsclan.com] Authorizing...
[mail.thomsclan.com] Authorizing using http-01 validation (SelfHosting)
[mail.thomsclan.com] Authorization result: valid
[mail3.thomsclan.com] Authorizing...
[mail3.thomsclan.com] Authorizing using http-01 validation (SelfHosting)
[mail3.thomsclan.com] Authorization result: valid
[thomsclan.com] Authorizing...
[thomsclan.com] Authorizing using http-01 validation (SelfHosting)
[thomsclan.com] Authorization result: valid
Downloading certificate [Manual] mail.thomsclan.com
Store with CertificateStore...
Installing certificate in the certificate store
Adding certificate [Manual] mail.thomsclan.com @ 2025/5/1 to store My
Add full control rights for network service
Add full control rights for administrators
Installation step 1/2: IIS...
Updating existing https binding :443 (flags: 0)
Updating existing https binding :443:127.0.0.1 (flags: 0)
Updating existing https binding mail.thomsclan.com:443 (flags: 1)
Updating existing https binding mail3.thomsclan.com:443 (flags: 1)
Updating existing https binding autodiscover.thomsclan.com:443 (flags: 1)
Updating existing https binding thomsclan.com:443 (flags: 1)
Committing 6 https binding changes to IIS while updating site 1
Installation step 2/2: Script...
Script ./Scripts/ImportExchange.ps1 starting with parameters 'D02D04DFBB7897344779FBE39370093523DFBAE1' 'IIS,SMTP,IMAP' 1 'C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates\hJOgTY0Td0aENQT84xQ2mA-main-9a2ed68873722dd98855f0751cc3d97e5346a896-temp.pfx' '********' '[Manual] mail.thomsclan.com @ 2025/5/1'
Script finished
Uninstalling certificate from the certificate store
Removing certificate [Manual] mail.thomsclan.com @ 2025/1/30 from store My
Error updating renewal info: Must specify a request path
Error getting renewal information from server
Next renewal due after 2025/6/25
Renewal for [Manual] mail.thomsclan.com succeeded with errors
1 Like
Maybe this? What version of wacs are you running?
2 Likes
