I am trying to migrate from an old windows 2008 server to windows 2019.
I have downloaded Win-Acme and am running it as an admin.
When I first run it I get the message
It then goes into the normal menu where I can create a new cert for my site.
When I go through the process with the default options I eventually get this :
"Source generated using plugin IIS: netc.dbd.solutions
Failed to create order"
Any help with this would be great, in the past I have just downloaded win acme and everything has just worked out of the box and I cant find much online about this issue.
My domain is: netc.dbd.solutions
I ran this command: WACS.EXE
As for obtaining a cert on the new system:
Without changing the inbound port forwarding (presuming both are behind the same firewall), you won't be able to get a cert, via HTTP authentication, on serverB for a name that connects to serverA.
Unless you use DNS-01 authentication.
Not sure what port forwarding needs to change, this is a server with its own public IP, theres no NAT happening, as for firewall I thought everything happened on port 80/443 (both of which are open) - is that not the case?
Edit, just realised what you meant.. these are different servers on different networks, I'm migrating between machines in different data centres so although it's a "migration" it would probably have been better described as a new server setup.
I guess that this is something wrong on the server - I read something about a root cert changing back in September?
All of the windows updates on this server should have been done, so all of the certs should be up to date but I cant be 100% sure as I cant manage these myself, that is done by a server admin.
[VERB] Looking for settings.json in c:\Program Files\WinAcme\
[DBUG] Config folder: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org
[DBUG] Log path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Log
[DBUG] Cache path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates
[DBUG] secrets.json not found
[VERB] Arguments: --verbose
[DBUG] Renewal period: 55 days
[VERB] Sending e-mails False
[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.1.19.1142 (release, trimmed, standalone, 64-bit)
[INFO] Connecting to https://acme-v02.api.letsencrypt.org/...
[VERB] SecurityProtocol setting: SystemDefault
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory
[EROR] Initial connection failed, retrying with TLS 1.2 forced
System.Threading.Tasks.TaskCanceledException: The request was canceled due to the configured HttpClient.Timeout of 10 seconds elapsing.
---> System.TimeoutException: A task was canceled.
---> System.Threading.Tasks.TaskCanceledException: A task was canceled.
at PKISharp.WACS.Services.ProxyService.LoggingHttpClientHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken)
at PKISharp.WACS.Clients.Acme.AcmeClient.CheckNetwork()
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory
[EROR] Unable to connect to ACME server
System.Threading.Tasks.TaskCanceledException: The request was canceled due to the configured HttpClient.Timeout of 10 seconds elapsing.
---> System.TimeoutException: A task was canceled.
---> System.Threading.Tasks.TaskCanceledException: A task was canceled.
at PKISharp.WACS.Services.ProxyService.LoggingHttpClientHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken)
at PKISharp.WACS.Clients.Acme.AcmeClient.CheckNetwork()
[DBUG] IIS version 10.0
[DBUG] Running with administrator credentials
[WARN] Scheduled task not configured yet
[INFO] Please report issues at https://github.com/win-acme/win-acme
[VERB] Unicode display test: Chinese/語言 Russian/язык Arab/لغة
N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (0 total)
O: More options...
Q: Quit
and, since acme-v02.api.letsencrypt.org is using the shorter/alternate LE chain, it seems that your system doesn't trust the "ISRG Root X1" root cert and you may need to add it in manually.
Here is the chain served:
echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = acme-v01.api.letsencrypt.org
verify return:1
CONNECTED(00000005)
---
Certificate chain
0 s:CN = acme-v01.api.letsencrypt.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
And here is the root cert you need to trust: https://letsencrypt.org/certs/isrgrootx1.der https://letsencrypt.org/certs/isrgrootx1.pem
Which is weird, since if your system is up-to-date on patches it should be having its trust store updated automatically. There is some lazy-loading done by Windows, but visiting an ISRG Root X1 site (like the API site, or like https://valid-isrgrootx1.letsencrypt.org/) from IE/Edge should load it and "just work".
Thanks for the help, It looks like there is an issue with the server and windows update as its not updating properly, I installed that cert as a trusted root cert authority and its all working now.
If your server is part of a domain your group policy may be set to disable automatic CA root updates, or if you have outgoing https connections blocked you may be blocking the attempts to update the root certificates.