Windows Server 2019: Certbot cert auto-renewal failure (complete log file output added)

Certbot running on Windows Server 2019 fails to auto-renew the cert. The log file displays errors. I would like assistance figuring out what I need to do to fix the issue so my cert will renew. I will add the entire log file text also. Any help would be greatly appreciated.

My domain is:
aws-cmca.us

My web server is (include version):
IIS 10.0.17763.1

The operating system my web server runs on is (include version):
Server 2019 version 1809 OS Build 17763.1397

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
I am using Certbot 1.5.0

Log file output:
2020-09-11 09:40:19,277:DEBUG:certbot._internal.main:certbot version: 1.5.0
2020-09-11 09:40:19,277:DEBUG:certbot._internal.main:Arguments:
2020-09-11 09:40:19,277:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-09-11 09:40:19,387:DEBUG:certbot._internal.log:Root logging level set at 20
2020-09-11 09:40:19,387:INFO:certbot._internal.log:Saving debug log to C:\Certbot\log\letsencrypt.log
2020-09-11 09:40:19,418:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x040BB4F0> and installer <certbot._internal.cli.cli_utils._Default object at 0x040BB4F0>
2020-09-11 09:40:19,465:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): ocsp.int-x3.letsencrypt.org:80
2020-09-11 09:40:19,621:DEBUG:urllib3.connectionpool:http://ocsp.int-x3.letsencrypt.org:80 “POST / HTTP/1.1” 200 527
2020-09-11 09:40:19,621:DEBUG:certbot.ocsp:OCSP response for certificate C:\Certbot\archive\aws-cmca.us\cert1.pem is signed by the certificate’s issuer.
2020-09-11 09:40:19,621:DEBUG:certbot.ocsp:OCSP certificate status for C:\Certbot\archive\aws-cmca.us\cert1.pem is: OCSPCertStatus.GOOD
2020-09-11 09:40:19,637:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2020-09-23 14:53:58 UTC.
2020-09-11 09:40:19,637:INFO:certbot._internal.renewal:Cert is due for renewal, auto-renewing…
2020-09-11 09:40:19,637:DEBUG:certbot._internal.plugins.selection:Requested authenticator standalone and installer None
2020-09-11 09:40:19,637:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator
Initialized: <certbot._internal.plugins.standalone.Authenticator object at 0x040BB1D0>
Prep: True
2020-09-11 09:40:19,637:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.standalone.Authenticator object at 0x040BB1D0> and installer None
2020-09-11 09:40:19,637:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2020-09-11 09:40:19,684:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri=‘https://acme-v02.api.letsencrypt.org/acme/acct/89659272’, new_authzr_uri=None, terms_of_service=None), a07dae1bfaebfb2076a487245be3610c, Meta(creation_dt=datetime.datetime(2020, 6, 24, 16, 29, 50, tzinfo=), creation_host=‘aws-cmca-sacs.aws-cmca.us’))>
2020-09-11 09:40:19,684:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2020-09-11 09:40:19,684:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2020-09-11 09:40:19,996:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 658
2020-09-11 09:40:19,996:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 11 Sep 2020 14:40:20 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“823oL3WGWAE”: “Adding random entries to the directory”,
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
“letsencrypt.org”
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org”
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert”
}
2020-09-11 09:40:19,996:INFO:certbot._internal.main:Renewing an existing certificate
2020-09-11 09:40:20,402:DEBUG:certbot.crypto_util:Generating key (2048 bits): C:\Certbot\keys\0040_key-certbot.pem
2020-09-11 09:40:20,449:DEBUG:certbot.crypto_util:Creating CSR: C:\Certbot\csr\0040_csr-certbot.pem
2020-09-11 09:40:20,465:DEBUG:acme.client:Requesting fresh nonce
2020-09-11 09:40:20,465:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2020-09-11 09:40:20,527:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “HEAD /acme/new-nonce HTTP/1.1” 200 0
2020-09-11 09:40:20,527:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 11 Sep 2020 14:40:20 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0002qUkvocskGImkQAg-qMYTVFE0rpIEr-2OrEdu0cJSkY0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

2020-09-11 09:40:20,527:DEBUG:acme.client:Storing nonce: 0002qUkvocskGImkQAg-qMYTVFE0rpIEr-2OrEdu0cJSkY0
2020-09-11 09:40:20,543:DEBUG:acme.client:JWS payload:
b’{\n “identifiers”: [\n {\n “type”: “dns”,\n “value”: “aws-cmca.us”\n }\n ]\n}’
2020-09-11 09:40:20,543:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
“protected”: “eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODk2NTkyNzIiLCAibm9uY2UiOiAiMDAwMnFVa3ZvY3NrR0lta1FBZy1xTVlUVkZFMHJwSUVyLTJPckVkdTBjSlNrWTAiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9”,
“signature”: “A3VJO2VM2GFjF7HdS50wr6uKnn1BiLTtaTLNLZaC0h3VFWq6-WoX5f9slgYSFCtWx7PrWz1NMbvSYeBQXSpiOGdI6JPzZVsC20og0PxfsFaSxc3euCDbbYQe97AFyCypQDK0vjuaUdQaWxS4J9ydcApEk1qRYBfMf495A9WcDQUHLlHp2dxyH-NybpMOBBRGRNPeqoesdMC7vnsPUHO2U59_YA5KEU7C8DTBJCmvx2l-0JXvzKeKZXIAkrq0Z8crM2RA-9THW14iHfTm34An_C2EWCQQZIAW_nIUbIrBBBTu3uZZJCOdNxC-J6Nt2tT8XdHTqZkMLa6fZutt5qym8A”,
“payload”: “ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImF3cy1jbWNhLnVzIgogICAgfQogIF0KfQ”
}
2020-09-11 09:40:21,496:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/new-order HTTP/1.1” 201 341
2020-09-11 09:40:21,496:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Fri, 11 Sep 2020 14:40:21 GMT
Content-Type: application/json
Content-Length: 341
Connection: keep-alive
Boulder-Requester: 89659272
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Location: https://acme-v02.api.letsencrypt.org/acme/order/89659272/5134287968
Replay-Nonce: 0001WYPU-LKBlzHASn3HtUM1irwsanZK0rmhuLKpVYE2FLI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“status”: “pending”,
“expires”: “2020-09-18T14:40:21.054397905Z”,
“identifiers”: [
{
“type”: “dns”,
“value”: “aws-cmca.us”
}
],
“authorizations”: [
“https://acme-v02.api.letsencrypt.org/acme/authz-v3/7145839792”
],
“finalize”: “https://acme-v02.api.letsencrypt.org/acme/finalize/89659272/5134287968”
}
2020-09-11 09:40:21,496:DEBUG:acme.client:Storing nonce: 0001WYPU-LKBlzHASn3HtUM1irwsanZK0rmhuLKpVYE2FLI
2020-09-11 09:40:21,496:DEBUG:acme.client:JWS payload:
b’’
2020-09-11 09:40:21,496:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/7145839792:
{
“protected”: “eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODk2NTkyNzIiLCAibm9uY2UiOiAiMDAwMVdZUFUtTEtCbHpIQVNuM0h0VU0xaXJ3c2FuWkswcm1odUxLcFZZRTJGTEkiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzcxNDU4Mzk3OTIifQ”,
“signature”: “QrStQSIughnccLRrNgMd5y8EIXqbDTmdeyHq76xKoPkrKxFJJ476MKQ667G3XTfPaZNNEmttM81HThoFsRSEv3UYsSCzVvgmUcr0AoizvY9vuzKw6u7wlQri6XBw_aUKrFnV7fCOvp6zK2W4VeQw_k-yqIHJzCU8GvDO4VPPq3i5AVQrzFWd6IS4DJyVV5RBC-uUBhk451byNY4SJOGan0j-_Fu8jhe3D8kQhC4aMLbbfC4TZ2ep8JA0Kt5VlH_JsTUmeMmqCweg0DIa8Zq4z-NnAqT7iP5vqOoxBQ-4NgNwbjZjQOnR9BUz5Ao57j35_tcQC-BAZPWiQ6qqI9Nvpw”,
“payload”: “”
}
2020-09-11 09:40:21,605:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/authz-v3/7145839792 HTTP/1.1” 200 789
2020-09-11 09:40:21,605:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 11 Sep 2020 14:40:21 GMT
Content-Type: application/json
Content-Length: 789
Connection: keep-alive
Boulder-Requester: 89659272
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0002Rfp7gGdGsxO3B3NbokX9P2GEygukiq_4EZlp2pzfmPY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“identifier”: {
“type”: “dns”,
“value”: “aws-cmca.us”
},
“status”: “pending”,
“expires”: “2020-09-18T14:40:21Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/7145839792/OaYvHg”,
“token”: “of6H8diXXvDbNffa5KdffUWuwm-ef2wVA_GJNK51u3Q”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/7145839792/gR5vRQ”,
“token”: “of6H8diXXvDbNffa5KdffUWuwm-ef2wVA_GJNK51u3Q”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/7145839792/MLgLfQ”,
“token”: “of6H8diXXvDbNffa5KdffUWuwm-ef2wVA_GJNK51u3Q”
}
]
}
2020-09-11 09:40:21,605:DEBUG:acme.client:Storing nonce: 0002Rfp7gGdGsxO3B3NbokX9P2GEygukiq_4EZlp2pzfmPY
2020-09-11 09:40:21,605:INFO:certbot._internal.auth_handler:Performing the following challenges:
2020-09-11 09:40:21,605:INFO:certbot._internal.auth_handler:http-01 challenge for aws-cmca.us
2020-09-11 09:40:21,605:DEBUG:acme.standalone:Failed to bind to :80 using IPv6
2020-09-11 09:40:21,605:DEBUG:acme.standalone:Failed to bind to :80 using IPv4
2020-09-11 09:40:21,637:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\plugins\standalone.py”, line 72, in run
address, self.http_01_resources)
File “C:\Program Files (x86)\Certbot\pkgs\acme\standalone.py”, line 190, in init
BaseDualNetworkedServers.init(self, HTTP01Server, *args, **kwargs)
File “C:\Program Files (x86)\Certbot\pkgs\acme\standalone.py”, line 105, in init
raise socket.error(“Could not bind to IPv4 or IPv6.”)
OSError: Could not bind to IPv4 or IPv6.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\auth_handler.py”, line 70, in handle_authorizations
resps = self.auth.perform(achalls)
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\plugins\standalone.py”, line 156, in perform
return [self._try_perform_single(achall) for achall in achalls]
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\plugins\standalone.py”, line 156, in
return [self._try_perform_single(achall) for achall in achalls]
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\plugins\standalone.py”, line 163, in _try_perform_single
_handle_perform_error(error)
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\plugins\standalone.py”, line 210, in _handle_perform_error
raise error
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\plugins\standalone.py”, line 161, in _try_perform_single
return self._perform_single(achall)
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\plugins\standalone.py”, line 166, in _perform_single
servers, response = self._perform_http_01(achall)
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\plugins\standalone.py”, line 173, in _perform_http_01
servers = self.servers.run(port, challenges.HTTP01, listenaddr=addr)
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\plugins\standalone.py”, line 74, in run
raise errors.StandaloneBindError(error, port)
certbot.errors.StandaloneBindError: Problem binding to port 80: Could not bind to IPv4 or IPv6.

2020-09-11 09:40:21,637:DEBUG:certbot._internal.error_handler:Calling registered functions
2020-09-11 09:40:21,637:INFO:certbot._internal.auth_handler:Cleaning up challenges
2020-09-11 09:40:21,637:WARNING:certbot._internal.renewal:Attempting to renew cert (aws-cmca.us) from C:\Certbot\renewal\aws-cmca.us.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6… Skipping.
2020-09-11 09:40:21,652:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\plugins\standalone.py”, line 72, in run
address, self.http_01_resources)
File “C:\Program Files (x86)\Certbot\pkgs\acme\standalone.py”, line 190, in init
BaseDualNetworkedServers.init(self, HTTP01Server, *args, **kwargs)
File “C:\Program Files (x86)\Certbot\pkgs\acme\standalone.py”, line 105, in init
raise socket.error(“Could not bind to IPv4 or IPv6.”)
OSError: Could not bind to IPv4 or IPv6.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\renewal.py”, line 448, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\main.py”, line 1176, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\main.py”, line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\renewal.py”, line 306, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\client.py”, line 343, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\client.py”, line 390, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\auth_handler.py”, line 70, in handle_authorizations
resps = self.auth.perform(achalls)
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\plugins\standalone.py”, line 156, in perform
return [self._try_perform_single(achall) for achall in achalls]
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\plugins\standalone.py”, line 156, in
return [self._try_perform_single(achall) for achall in achalls]
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\plugins\standalone.py”, line 163, in _try_perform_single
_handle_perform_error(error)
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\plugins\standalone.py”, line 210, in _handle_perform_error
raise error
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\plugins\standalone.py”, line 161, in _try_perform_single
return self._perform_single(achall)
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\plugins\standalone.py”, line 166, in _perform_single
servers, response = self._perform_http_01(achall)
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\plugins\standalone.py”, line 173, in _perform_http_01
servers = self.servers.run(port, challenges.HTTP01, listenaddr=addr)
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\plugins\standalone.py”, line 74, in run
raise errors.StandaloneBindError(error, port)
certbot.errors.StandaloneBindError: Problem binding to port 80: Could not bind to IPv4 or IPv6.

2020-09-11 09:40:21,652:ERROR:certbot._internal.renewal:All renewal attempts failed. The following certs could not be renewed:
2020-09-11 09:40:21,652:ERROR:certbot._internal.renewal: C:\Certbot\live\aws-cmca.us\fullchain.pem (failure)
2020-09-11 09:40:21,652:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File “D:\obj\windows-release\37win32_Release\msi_python\zip_win32\runpy.py”, line 193, in _run_module_as_main
File “D:\obj\windows-release\37win32_Release\msi_python\zip_win32\runpy.py”, line 85, in run_code
File "C:\Program Files (x86)\Certbot\bin\certbot.exe_main.py", line 33, in
sys.exit(main())
File “C:\Program Files (x86)\Certbot\pkgs\certbot\main.py”, line 15, in main
return internal_main.main(cli_args)
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\main.py”, line 1347, in main
return config.func(config, plugins)
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\main.py”, line 1255, in renew
renewal.handle_renewal_request(config)
File “C:\Program Files (x86)\Certbot\pkgs\certbot_internal\renewal.py”, line 473, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2020-09-11 09:40:21,668:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

Hi @jedichris816

if you want to use the standalone plugin, you have to stop your running webserver.

There - http://aws-cmca.us/ - is a webserver running.

If not, that's

the expected error message.

Bingo! It appears you are very correct. I stopped the webserver and ran a dry run to renew the cert.

C:\Program Files (x86)\Certbot>certbot renew --dry-run
Saving debug log to C:\Certbot\log\letsencrypt.log

Processing C:\Certbot\renewal\aws-cmca.us.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for aws-cmca.us
Waiting for verification…
Cleaning up challenges

new certificate deployed without reload, fullchain is
C:\Certbot\live\aws-cmca.us\fullchain.pem

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
C:\Certbot\live\aws-cmca.us\fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

So in the original log file, why is there no mention of failure or even attempting to stop the webserver? As you state, the webserver needs to be stopped. When I installed Certbot, the setup added a scheduled task to attempt renewal when the expiration is less than 30-days. Ultimately, that’s what I want as opposed to having to manually stop the server and manually run the renewal. The instructions page for my webserver type and OS say, “Automated certificate renewals (using standalone and webroot plugins) are supported.”. Please advise.

Juergen, I do want to say thank you for your help. Thank you.

You really should not have to stop a working (fully functional) web server only to start another one to do that exact same thing.

You could instead determine where the document root is/are for the FQDN(s) and use the --webroot option to let certbot know where to put the challenge response files.

Yep, webroot is the better solution. standalone is ok if there is no webserver.

Agreed:
The key is “better”.
There is a “working solution”, yes.
This could be a better one.
And there may even be improvements on it.
Or including automation to really make things the best.

Baby steps. I love the happy progression of this topic. It gives me some great notes for the handbook.

Yep, webroot is the better solution

Can you elaborate on what you mean?

--webroot option to let certbot know where to put the challenge response files?

I'm not a webserver admin, and am still learning in this area.

Do I need to run certbot renew --webserver C:\inetpub\wwwroot in cmd terminal?

See the docs on that here:

If you want to use http validation, you need a running webserver.

But if you have already a running webserver, it should be possible to use that webserver instead of stopping it and starting a temporary thing.

--webroot is the part you should check. Then Certbot creates a file in the correct subfolder, the running webserver sends that file, no stop/start is required.

So the best solution on Windows is to integrate with the http.sys pipeline, this is something certbot should do on windows, rather than just trying to start a port 80 listener (which will clash with IIS).

http.sys listeners can listen for specific url patterns like /.well-known/acme-challenge/ and respond just to those http requests without interrupting other http services

This is what Certify The Web (https://certifytheweb.com) does by default to avoid having to configure IIS extensionless file handling (which is also does as a fallback), other windows based acme tools do similar things as well.

Start a new topic.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.