Win-acme renews fail - Unexpected response status code [NotFound]

My domain is: dc.hkpms.top and other subdomains (around 30)

I ran this command:
wacs,exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"

It produced this output:
Error getting renewal information from server
ACMESharp.Protocol.AcmeProtocolException: Unexpected response status code [NotFound] for [GetRenewalInfo]
** at ACMESharp.Protocol.AcmeProtocolClient.SendAcmeAsync(String relativeUri, HttpMethod method, String message, HttpStatusCode expectedStatuses, String opName)**
** at ACMESharp.Protocol.AcmeProtocolClient.SendAcmeAsync[TResponse](String uri, JsonTypeInfo1 responseType, String message, HttpMethod method, HttpStatusCode[] expectedStatuses, String opName)** ** at ACMESharp.Protocol.AcmeProtocolClient.GetRenewalInfo(Byte[] certificateId)** ** at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.<>c__DisplayClass1_01.<b__0>d.MoveNext()**
--- End of stack trace from previous location ---
** at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.Backoff[T](AcmeProtocolClient client, Func1 executor, ILogService log, Int32 attempt)** ** at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.Backoff[T](AcmeProtocolClient client, Func1 executor, ILogService log, Int32 attempt)**
** at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.Retry[T](AcmeProtocolClient client, Func1 executor, ILogService log, Int32 attempt)** ** at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.Retry[T](AcmeProtocolClient client, Func1 executor, ILogService log, Int32 attempt)**
** at PKISharp.WACS.Clients.Acme.AcmeClient.GetRenewalInfo(ICertificateInfo certificate)**
** at PKISharp.WACS.OrderProcessor.PrepareOrders(List1 orderContexts, List1 orderInfos)**

My web server is (include version): IIS 8.5

The operating system my web server runs on is (include version): Windows 2016

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NA

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): win-acme.v2.2.6.1571.x64.pluggable

Thanks for the free SSL.

I have installed the free SSL for around 30 subdomains since 15 Apr 2024. The acme installed a task scheduler to renew the cert daily. It operated smoothly till 17 May 2024. Then the task returned the error log.

I have installed the AVG Business File Security on 17 May. However, I stopped the AVG, the renew is still not success.

May anyone help?

1 Like

I don't know win-acme with IIS well enough to help. I just wanted you to know there are other places to get support for that in case no one else here offers help. See below page

You say your IIS is 8.5 but an IIS 10.0 is replying to requests to that domain. I don't know how this helps unless you have your DNS or a NAT or port forwarding going to the wrong place for HTTP requests

Request to: dc.hkpms.top/103.11.100.75, Result: [Address=103.11.100.75,Address Type=IPv4,Server=Microsoft-IIS/10.0

Lastly, it may not help but there is a more current recommended version of win-acme. The above win-acme support page describes that.

4 Likes

win-acme is having a little bit of trouble due to other bugs in the current release, if this problem stops you from ordering a certificate I would suggest perhaps downgrading win-acme, possibly to v2.2.2.1 while those issues get stabilized.

3 Likes

You don't need to downgrade, you can just disable the ARI checks with the RenewalDisableServerSchedule setting as a workaround until they've released the version with current ARI support. Though the author claims that the warnings you're getting in the meantime can just be ignored and it will still renew as needed.

5 Likes

Ah, yes that's a better idea. Upgrading to a newer version has some new potential issues with private key storage, but fixes for that are in the works.

1 Like

Thanks all.

More information:

  1. IIS 10. My mistake.
  2. I checked the log:

2024-05-21 09:54:51.282 +08:00 [VRB] Checking [IIS] dc.hkpms.top, (any host)
2024-05-21 09:54:51.291 +08:00 [VRB] Autofac: creating Order scope with parent PluginBackend
2024-05-21 09:54:51.292 +08:00 [VRB] Autofac: creating PluginBackend scope with parent order-main
2024-05-21 09:54:51.703 +08:00 [DBG] Previous certificate found at C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates[deleted]-temp.pfx
2024-05-21 09:54:51.705 +08:00 [DBG] Reading certificate cache
2024-05-21 09:54:51.753 +08:00 [DBG] [HTTP] Send HEAD to "https://acme-v02.api.letsencrypt.org/acme/new-nonce"
2024-05-21 09:54:52.473 +08:00 [VRB] [HTTP] Request completed with status "OK"
2024-05-21 09:54:52.474 +08:00 [VRB] [HTTP] Empty response
2024-05-21 09:54:52.501 +08:00 [DBG] [HTTP] Send GET to "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo[deleted]"
2024-05-21 09:54:52.679 +08:00 [VRB] [HTTP] Request completed with status "NotFound"
2024-05-21 09:54:52.679 +08:00 [VRB] [HTTP] Response of type text/plain (19 bytes)
2024-05-21 09:54:52.744 +08:00 [ERR] Error getting renewal information from server
ACMESharp.Protocol.AcmeProtocolException: Unexpected response status code [NotFound] for [GetRenewalInfo]
at ACMESharp.Protocol.AcmeProtocolClient.SendAcmeAsync(String relativeUri, HttpMethod method, String message, HttpStatusCode expectedStatuses, String opName)
at ACMESharp.Protocol.AcmeProtocolClient.SendAcmeAsync[TResponse](String uri, JsonTypeInfo1 responseType, String message, HttpMethod method, HttpStatusCode[] expectedStatuses, String opName) at ACMESharp.Protocol.AcmeProtocolClient.GetRenewalInfo(Byte[] certificateId) at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.<>c__DisplayClass1_01.<b__0>d.MoveNext()
--- End of stack trace from previous location ---
at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.Backoff[T](AcmeProtocolClient client, Func1 executor, ILogService log, Int32 attempt) at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.Backoff[T](AcmeProtocolClient client, Func1 executor, ILogService log, Int32 attempt)
at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.Retry[T](AcmeProtocolClient client, Func1 executor, ILogService log, Int32 attempt) at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.Retry[T](AcmeProtocolClient client, Func1 executor, ILogService log, Int32 attempt)
at PKISharp.WACS.Clients.Acme.AcmeClient.GetRenewalInfo(ICertificateInfo certificate)
at PKISharp.WACS.OrderProcessor.PrepareOrders(List1 orderContexts, List1 orderInfos)
2024-05-21 09:54:52.749 +08:00 [VRB] Main: previous thumbprint 9A5B8A012E58895BD8714C244C0A378165A462A0
2024-05-21 09:54:52.750 +08:00 [VRB] Main: previous expires 2024/7/4
2024-05-21 09:54:52.752 +08:00 [VRB] Using client side renewal schedule
2024-05-21 09:54:52.753 +08:00 [VRB] Main: latest due date 2024/5/30
2024-05-21 09:54:52.753 +08:00 [VRB] Main: earliest due date 2024/5/30
2024-05-21 09:54:52.753 +08:00 [VRB] Order Main should run: false
2024-05-21 09:54:52.755 +08:00 [DBG] None of the orders are currently due to run
2024-05-21 09:54:52.756 +08:00 [INF] Renewal [IIS] dc.hkpms.top, (any host) is due after 2024/5/30
2024-05-21 09:54:52.774 +08:00 [VRB] Autofac: creating Execution scope with parent wacs
2024-05-21 09:54:52.775 +08:00 [VRB] Autofac: creating PluginBackend scope with parent Execution

It seems to me that the error cannot be ignored. It is a response from Get renew information.

Also, I check the settings.json, there is no RenewalDisableServerSchedule settings.

1 Like

So, this sounds to me (I'm not really familiar with win-acme, I'm just reading the log) that since it can't get the ARI renewal suggestion from the server, it's using it's own "client side renewal schedule", which says that since your certificate doesn't expire until July 4, that it will plan to renew it on May 30. And so it isn't due for renewal yet and there's nothing to do.

Is there some reason you think that a certificate is due for renewal now?

From looking at their documentation, I suspect that you can add RenewalDisableServerSchedule to that settings.json (even if it's not currently there) if you want to disable the feature that isn't yet working. Just make sure to enable it again once a fixed version of win-acme is released and you're updated to it.

6 Likes

Thanks all.

I waited for some days such that the certificate renewal is required.

And it was renewed successfully.

4 Likes

Good to hear. I believe that win-acme recently released a version (2.2.9.1) that uses the updated ARI draft, which should fix the problem entirely.

5 Likes