Win-acme Cert request fails

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain

I ran this command: "N:create cert with default settings"

It produced this output:
{"type":"urn:ietf:params:acme:error:unauthorized","detail":" Invalid response from 404","status":403,"instance":null}

My web server is (include version): IIS ver 10.0.17763.1

The operating system my web server runs on is (include version):
Windows Server 2019 ver 17663.4645
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): i don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no but I am doing reverse proxy

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Your domain is using an Apache server.

I don't know the details of your win-acme request but it needs to setup Apache for the HTTP Challenge of the cert request. Did you instead have it work with your IIS server?

A 404 error means the Let's Encrypt server could not find the file created by win-acme at the system handling HTTP requests to your domain.

Can you clarify what Apache and IIS should be doing for this domain name?


The website is hosted by apache tomcat and im using IIS to reverse-proxy to the server. I am new to most of this and most of the guides show to use IIS to install the cert.

The webserver that answers for (HTTP over TCP port 80) appears to be the apache server, not IIS, as shown by the Server header. It would be a little easier to get your certificate if it was IIS that was reverse proxying back to apache but I assume you have it working the other way around.

To order your cert yo need to validate your domain, and to do that you can use http validation (a special HTTP request to your server). In your case Apache is answering, so you could use the "webroot" method of writing the challenge response files out to the apache htdocs filesystem, however I don't know how that interacts with Tomcat (is tomcat even involved yet? maybe you run the app off a /app etc path?).

Here is win-acme's docs for an Apache example: win-acme

To use it with IIS (if IIS was the thing answering on port 80) you would just use the self-hosting option and select the website or enter the domain name to order the cert for.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.