Win Server 2019 cannot renew - No matches, cert is required but missing

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:C:\Certbot>certbot certonly --cert-name --dry-run --debug-challenges
It produced this output: How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
cert is required but missing for this certificate.
Ask for help or search for solutions at See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

Hi there,

I need to renew a certificate in Win Server 2019 but it is failing. There is also a scheduler task that is not working. I am using a standalone option and my www service (webserver) is stopped.

This is the log file:
letsencrypt.log_5112023.txt (5.5 KB)
There was an issue in the live folder, with the symlinks being recreated. I am not sure if the archive also were moved or renamed, but I can run the option certificates and see the serial number, etc.

Found the following certs:
Certificate Name:
Serial Number: 4fcb7efcac9597ce8933ef72f687e9e6e80
Key Type: ECDSA
Expiry Date: 2023-05-29 16:59:35+00:00 (VALID: 17 days)
Certificate Path: C:\Certbot\live\\fullchain.pem
Private Key Path: C:\Certbot\live\\privkey.pem

Thank you so much for your help.

Based on Certbot renew returns "cert is required but missing for this certificate" Certbot thinks you have deleted something from the certificate storage either in C:\Certbot\live or C:\Certbot\archive

You're best to re-create your renewal e.g. remove it and start again.

Which webserver are you running?


Hi there, thank you so much for helping me. The web server is a IIS on Windows Server 2019. It only hosts one website and one ftp site. What is the process to recreate the certs files? Do I have to remove the current certificate in IIS?
I already try many commands, like "certbot certonly --force-renew --cert-name" and
"certbot certonly --force-renew -d " and always the same error, missing the cert...

1 Like

Can I use this without revoking or affecting the current cert that is not expired?
1, Purge all files: certbot delete --cert-name MyCertName
and then
2 Recreate: certbot run -a standalone -d -d

Hmm, so you would need to also be running some other scripting to convert the certificate to the correct format - if you don't know what that is then it's is possible you're not using Certbot anymore and there is another ACME client installed?

I develop Certify The Web ( and another popular one you might be using is win-acme, for both those apps you just install it, select your websites etc (if they already have hostname bindings in IIS), then request the certificate to have it ordered, validated and installed into IIS.


No, I only installed Certbot. So, do you really think that I cannot fix this using Certbot? :thinking:

Cool, it's just that Cerbot cannot install certificates into IIS or setup FTP site certificate bindings, so you would have to have manually converted the certificate and installed it manually, or used a script to do the same.

Unless of course you are Apache or nginx or some other webserver/ftp server (not IIS).


Can you start your webserver so we can check it's certs?


Yes, is up and running.

1 Like

Oops! Yes.

1 Like

It says:
Server: Microsoft-IIS/10.0


Thanks. Yes, that looks like IIS/10

And, the cert is the one shown by certbot certificates above that expires May29.

@webprofusion knows Windows far better than I do. To use the ".pem" cert files created by Certbot you must convert them to the format for IIS and your FTP server.

I often recommend people using IIS use Certify The Web instead of Certbot for this reason. We can get Certbot to work (with more effort) but you'll still need to convert its .pem files. If you can't remember how you did that back in Feb you might be better off just using Certify The Web. I think you'll find it easier.

I'm not sure how this relates but I see you got certs from ZeroSSL prior to this recent one from Let's Encrypt. While Certbot can get them from ZeroSSL it usually isn't used for that.


I was using win-acme in server 2012, but there was an issue with the renewal, I installed ZeroSSL, but I don't have any more credits for free certificates. The certificates in ZeroSSL are expired. Do I need to revoke with them? I am not sure how they appear on the certificate...

No need to revoke they are, as you note, expired. They don't appear with your current cert but all cert history is logged for public review and I saw those there.


Yes, I remember how to convert and install it on the web server.

Oh, I see... :slightly_smiling_face: but back to Certbot, What would you do in my case to obtain the renewal?

If you have used win-acme before I'd recommend just using win-acme again (with Let's Encrypt).

The basic ZeroSSL service is free as far as I know - I've not heard of anyone running out before but perhaps you hit the rate limit as shows the same cert issued several times on the same day.

For certbot, I'll defer to someone who knows it better!


Can you show us the contents of the renewal conf file in

# renew_before_expiry = 30 days
version = 2.2.0
archive_dir = C:\Certbot\archive\
cert = C:\Certbot\live\\cert.pem
privkey = C:\Certbot\live\\privkey.pem
chain = C:\Certbot\live\\chain.pem
fullchain = C:\Certbot\live\\fullchain.pem

# Options used in the renewal process
account = 7cc2a4014f5d3f43e4bf7d75ca68c821
authenticator = standalone
server =
key_type = ecdsa

Thanks, and now:

dir C:\Certbot\live\
dir C:\Certbot\archive\