Did you recently make changes to your DNS and/or public IP?
Because I don't see an A record for thomsclan.com. While all the other 3 have an A record with the same IP address.
That doesn't explain why autodiscover subdomain fails. Unless the IP is no longer correct.
But, thomsclan.com will definitely fail authorization without an A record. Sometimes we learn about one problem while fixing another. You couldn't have gotten your last cert with this missing A record.
Here is a list of issued certificates crt.sh | thomsclan.com, the latest being 2025-01-30.
And these are the matching identities autodiscover.thomsclan.com, mail3.thomsclan.com, mail.thomsclan.com, and thomsclan.com for recent certificates. Assuming that is what you are wishing to renew and using the HTTP-01 challenge each one of them must have an IP Address (IPv4 and/or IPv6).
I was on the same thought, so was playing with DNS after I posted. In hindsight, dumb to do after asking for help. IP if fixed from Verizon, FTP and other services are working so the IP, port forwarding,... should all be ok.
The "404" in the error from Let's Encrypt means your server replied with an http "404 Not Found" to the HTTP challenge.
With the standalone wacs option it should be replying to these requests. I am not expert enough with Windows servers / wacs to say much more. Perhaps someone else here will or try their github. It probably won't help this problem but you may want to consider changing to simple-acme. See the first issue at the win-acme github: GitHub · Where software is built
I do suggest running with "--verbose" option to see if further info is displayed.
Yes, the inbound HTTP request on port 80 has to be sent to the server running WACS.
Send it to Exchange server if running there . Or, restore the setting for port 80 to your IIS server and run WACS on that server. Then copy the cert to Exchange server after.
It seems more sensible to run WACS on your IIS server as that typically handles port 80 and redirects to port 443 (HTTPS).
How did you have this setup before? Which part(s) are new? Something in your configuration must have changed since you last got a good cert.
Updated router forwarding, 80 to Exchange, and it worked. I must have had that record in when I started LetsEncrypt, and moved it for the IIS server at some point. Well over a month ago...
Thanks to everyone that helped, and thank you to @MikeMcQ for leading my blind @$$ to the solution.
Everything is working/flowing now, but I see two errors at the bottom. Should I be concerned?
Plugin Manual generated source mail.thomsclan.com with 4 identifiers
Plugin Single created 1 order
Error getting renewal information from server
Renewing [Manual] mail.thomsclan.com
First chance error calling into ACME server, retrying with new nonce...
Cached order has status invalid, discarding
[autodiscover.thomsclan.com] Authorizing...
[autodiscover.thomsclan.com] Authorizing using http-01 validation (SelfHosting)
[autodiscover.thomsclan.com] Authorization result: valid
[mail.thomsclan.com] Authorizing...
[mail.thomsclan.com] Authorizing using http-01 validation (SelfHosting)
[mail.thomsclan.com] Authorization result: valid
[mail3.thomsclan.com] Authorizing...
[mail3.thomsclan.com] Authorizing using http-01 validation (SelfHosting)
[mail3.thomsclan.com] Authorization result: valid
[thomsclan.com] Authorizing...
[thomsclan.com] Authorizing using http-01 validation (SelfHosting)
[thomsclan.com] Authorization result: valid
Downloading certificate [Manual] mail.thomsclan.com
Store with CertificateStore...
Installing certificate in the certificate store
Adding certificate [Manual] mail.thomsclan.com @ 2025/5/1 to store My
Add full control rights for network service
Add full control rights for administrators
Installation step 1/2: IIS...
Updating existing https binding :443 (flags: 0)
Updating existing https binding :443:127.0.0.1 (flags: 0)
Updating existing https binding mail.thomsclan.com:443 (flags: 1)
Updating existing https binding mail3.thomsclan.com:443 (flags: 1)
Updating existing https binding autodiscover.thomsclan.com:443 (flags: 1)
Updating existing https binding thomsclan.com:443 (flags: 1)
Committing 6 https binding changes to IIS while updating site 1
Installation step 2/2: Script...
Script ./Scripts/ImportExchange.ps1 starting with parameters 'D02D04DFBB7897344779FBE39370093523DFBAE1' 'IIS,SMTP,IMAP' 1 'C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates\hJOgTY0Td0aENQT84xQ2mA-main-9a2ed68873722dd98855f0751cc3d97e5346a896-temp.pfx' '********' '[Manual] mail.thomsclan.com @ 2025/5/1'
Script finished
Uninstalling certificate from the certificate store
Removing certificate [Manual] mail.thomsclan.com @ 2025/1/30 from store My
Error updating renewal info: Must specify a request path
Error getting renewal information from server
Next renewal due after 2025/6/25
Renewal for [Manual] mail.thomsclan.com succeeded with errors
No joy.