Win Acme Initial connection failed, retrying with TLS 1.2 forced - New server

Afternoon

I am trying to migrate from an old windows 2008 server to windows 2019.
I have downloaded Win-Acme and am running it as an admin.
When I first run it I get the message

" Connecting to https://acme-v02.api.letsencrypt.org/...
Initial connection failed, retrying with TLS 1.2 forced
Unable to connect to ACME server"

It then goes into the normal menu where I can create a new cert for my site.
When I go through the process with the default options I eventually get this :

"Source generated using plugin IIS: netc.dbd.solutions

Failed to create order"

Any help with this would be great, in the past I have just downloaded win acme and everything has just worked out of the box and I cant find much online about this issue.

My domain is: netc.dbd.solutions
I ran this command: WACS.EXE

It produced this output:

A simple Windows ACMEv2 client (WACS)
Software version 2.1.19.1142 (release, trimmed, standalone, 64-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...
Initial connection failed, retrying with TLS 1.2 forced
Unable to connect to ACME server
Scheduled task not configured yet
Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)

My web server is (include version):
IIS 10 - Fresh Install

The operating system my web server runs on is (include version):
Windows 2019

My hosting provider, if applicable, is:
Netcetera

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is: 2.1.19.1142

So, it sounds like this message is saying your server can't connect to the Let's Encrypt API. Does your server have outbound Internet access?

2 Likes

There is a newer version out now.

As for obtaining a cert on the new system:
Without changing the inbound port forwarding (presuming both are behind the same firewall), you won't be able to get a cert, via HTTP authentication, on serverB for a name that connects to serverA.
Unless you use DNS-01 authentication.

1 Like

Yeah, I can view that page from a browser on the machine.

It does seem to connect after I get this message, but then won't issue a cert.

Not sure what port forwarding needs to change, this is a server with its own public IP, theres no NAT happening, as for firewall I thought everything happened on port 80/443 (both of which are open) - is that not the case?

Edit, just realised what you meant.. these are different servers on different networks, I'm migrating between machines in different data centres so although it's a "migration" it would probably have been better described as a new server setup.

Dont know if this will help but I ran with the --verbose flag and got this output

What I found interesting in this is the URL it is trying to access is https://acme-v02.api.letsencrypt.org/directory which I can browse to using Firefox on the server BUT not IE.

In IE I get an error

This site isn’t secure

DLG_FLAGS_INVALID_CA

I guess that this is something wrong on the server - I read something about a root cert changing back in September?

All of the windows updates on this server should have been done, so all of the certs should be up to date but I cant be 100% sure as I cant manage these myself, that is done by a server admin.

[VERB] Looking for settings.json in c:\Program Files\WinAcme\
 [DBUG] Config folder: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org
 [DBUG] Log path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Log
 [DBUG] Cache path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates
 [DBUG] secrets.json not found
 [VERB] Arguments: --verbose
 [DBUG] Renewal period: 55 days
 [VERB] Sending e-mails False

 [INFO] A simple Windows ACMEv2 client (WACS)
 [INFO] Software version 2.1.19.1142 (release, trimmed, standalone, 64-bit)
 [INFO] Connecting to https://acme-v02.api.letsencrypt.org/...
 [VERB] SecurityProtocol setting: SystemDefault
 [DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory
 [EROR] Initial connection failed, retrying with TLS 1.2 forced
System.Threading.Tasks.TaskCanceledException: The request was canceled due to the configured HttpClient.Timeout of 10 seconds elapsing.
 ---> System.TimeoutException: A task was canceled.
 ---> System.Threading.Tasks.TaskCanceledException: A task was canceled.
   at PKISharp.WACS.Services.ProxyService.LoggingHttpClientHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   --- End of inner exception stack trace ---
   at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken)
   at PKISharp.WACS.Clients.Acme.AcmeClient.CheckNetwork()
 [DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory
 [EROR] Unable to connect to ACME server
System.Threading.Tasks.TaskCanceledException: The request was canceled due to the configured HttpClient.Timeout of 10 seconds elapsing.
 ---> System.TimeoutException: A task was canceled.
 ---> System.Threading.Tasks.TaskCanceledException: A task was canceled.
   at PKISharp.WACS.Services.ProxyService.LoggingHttpClientHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   --- End of inner exception stack trace ---
   at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken)
   at PKISharp.WACS.Clients.Acme.AcmeClient.CheckNetwork()
 [DBUG] IIS version 10.0
 [DBUG] Running with administrator credentials
 [WARN] Scheduled task not configured yet
 [INFO] Please report issues at https://github.com/win-acme/win-acme
 [VERB] Unicode display test: Chinese/語言 Russian/язык Arab/لغة

 N: Create certificate (default settings)
 M: Create certificate (full options)
 R: Run renewals (0 currently due)
 A: Manage renewals (0 total)
 O: More options...
 Q: Quit

With:

and, since acme-v02.api.letsencrypt.org is using the shorter/alternate LE chain, it seems that your system doesn't trust the "ISRG Root X1" root cert and you may need to add it in manually.

Here is the chain served:

echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = acme-v01.api.letsencrypt.org
verify return:1
CONNECTED(00000005)
---
Certificate chain
 0 s:CN = acme-v01.api.letsencrypt.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---

And here is the root cert you need to trust:
https://letsencrypt.org/certs/isrgrootx1.der
https://letsencrypt.org/certs/isrgrootx1.pem

2 Likes

Which is weird, since if your system is up-to-date on patches it should be having its trust store updated automatically. There is some lazy-loading done by Windows, but visiting an ISRG Root X1 site (like the API site, or like https://valid-isrgrootx1.letsencrypt.org/) from IE/Edge should load it and "just work".

There's a patch I've seen referenced here before to help gets Windows systems up to date, at https://support.microsoft.com/en-us/topic/support-for-urgent-trusted-root-updates-for-windows-root-certificate-program-in-windows-a4ac4d6c-7c62-3b6e-dfd2-377982bf3ea5, but I don't see anything there for Windows 2019. (Presumably because that's new enough to not need it?) But maybe that gives you a starting point to start digging from?

4 Likes

Thanks for the help, It looks like there is an issue with the server and windows update as its not updating properly, I installed that cert as a trusted root cert authority and its all working now.

Thanks for the help.

2 Likes

If your server is part of a domain your group policy may be set to disable automatic CA root updates, or if you have outgoing https connections blocked you may be blocking the attempts to update the root certificates.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.