#38 - [GH-ISSUE #52] Renewal of SSL certificate - Challenge Invalid (timeout during connect - likely firewall problem) - starred/AutoACME

kerem commented

2026-02-26 21:31:25 +03:00

Owner

Originally created by @jmcd23 on GitHub (Dec 7, 2021).
Original GitHub issue: https://github.com/ridercz/AutoACME/issues/52

Hi,
We have been using LetsEncrypt/AutoACME on one of our Windows 2016 web servers for over a year and manually renewing each 90 days. The cert expired today and ran the normal autoacme renew command, but receive the below error.

Reading configuration from 'C:\CertStore\AutoACME\AutoACME-1.6.2\autoacme.json'...OK
Loading hosts expiring in 30 days...OK, 1 hosts to renew
Accepting TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf...OK
Host remote.waterheadacademy.co.uk expired 1 days ago (07 December 2021)
Testing authorization:
Writing challenge to C:\InetPub\wwwroot\AutoAcme\probe_de2dabc6-6e8f-4ba8-b915-7afb954f0d74...OK
Testing HTTP challenge:
Preparing request to http://remote.waterheadacademy.co.uk/.well-known/acme-challenge/probe_de2dabc6-6e8f-4ba8-b915-7afb954f0d74...OK
Getting response...OK
Reading response...OK
OK: Status code 200
OK: Content-Type header
OK: Expected response received
Deleting challenge from C:\InetPub\wwwroot\AutoAcme\probe_de2dabc6-6e8f-4ba8-b915-7afb954f0d74...OK
Preparing order
Getting authorization:
Getting challenge...
OK, the following is DNS name:
remote.waterheadacademy.co.uk
Writing challenge to C:\InetPub\wwwroot\AutoAcme\YYrgraTd4dLkPGpq11Mrnzq3T9bpWshGsXHfwBoPPIs...OK
Completing challenge...Challenge Invalid: https://acme-v02.api.letsencrypt.org/acme/chall-v3/56406974780/xtN6Uw Fetching http://remote.waterheadacademy.co.uk/.well-known/acme-challenge/YYrgraTd4dLkPGpq11Mrnzq3T9bpWshGsXHfwBoPPIs: Timeout during connect (likely firewall problem)
Failed
Deleting challenge from C:\InetPub\wwwroot\AutoAcme\YYrgraTd4dLkPGpq11Mrnzq3T9bpWshGsXHfwBoPPIs...OK
Renewal failed!
Authorization failed with status False

Port 80 appears to be open as I can put test files into the .well-known directory and it appears fine in the browser.
I'm not sure what else to try or could there be an issue with the AutoAcme infrastructure at the moment...

Any help would be appreciated.

Thank you

Originally created by @jmcd23 on GitHub (Dec 7, 2021). Original GitHub issue: https://github.com/ridercz/AutoACME/issues/52 Hi, We have been using LetsEncrypt/AutoACME on one of our Windows 2016 web servers for over a year and manually renewing each 90 days. The cert expired today and ran the normal autoacme renew command, but receive the below error. Reading configuration from 'C:\CertStore\AutoACME\AutoACME-1.6.2\autoacme.json'...OK Loading hosts expiring in 30 days...OK, 1 hosts to renew Accepting TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf...OK Host remote.waterheadacademy.co.uk expired 1 days ago (07 December 2021) Testing authorization: Writing challenge to C:\InetPub\wwwroot\AutoAcme\probe_de2dabc6-6e8f-4ba8-b915-7afb954f0d74...OK Testing HTTP challenge: Preparing request to http://remote.waterheadacademy.co.uk/.well-known/acme-challenge/probe_de2dabc6-6e8f-4ba8-b915-7afb954f0d74...OK Getting response...OK Reading response...OK OK: Status code 200 OK: Content-Type header OK: Expected response received Deleting challenge from C:\InetPub\wwwroot\AutoAcme\probe_de2dabc6-6e8f-4ba8-b915-7afb954f0d74...OK Preparing order Getting authorization: Getting challenge... OK, the following is DNS name: remote.waterheadacademy.co.uk Writing challenge to C:\InetPub\wwwroot\AutoAcme\YYrgraTd4dLkPGpq11Mrnzq3T9bpWshGsXHfwBoPPIs...OK Completing challenge...Challenge Invalid: https://acme-v02.api.letsencrypt.org/acme/chall-v3/56406974780/xtN6Uw Fetching http://remote.waterheadacademy.co.uk/.well-known/acme-challenge/YYrgraTd4dLkPGpq11Mrnzq3T9bpWshGsXHfwBoPPIs: Timeout during connect (likely firewall problem) Failed Deleting challenge from C:\InetPub\wwwroot\AutoAcme\YYrgraTd4dLkPGpq11Mrnzq3T9bpWshGsXHfwBoPPIs...OK Renewal failed! Authorization failed with status False Port 80 appears to be open as I can put test files into the .well-known directory and it appears fine in the browser. I'm not sure what else to try or could there be an issue with the AutoAcme infrastructure at the moment... Any help would be appreciated. Thank you

kerem closed this issue

2026-02-26 21:31:25 +03:00

kerem commented

2026-02-26 21:31:26 +03:00

Author

Owner

@avonwyss commented on GitHub (Dec 8, 2021):

Can you access http://remote.waterheadacademy.co.uk/.well-known/acme-challenge/YYrgraTd4dLkPGpq11Mrnzq3T9bpWshGsXHfwBoPPIs from outside of your network (e.g. over mobile network)? This should give a 404 error since the challenge file has been deleted; if you get a timeout you need to find and fix the timeout so that the challenge file can be checked by the LE servers (Maybe port 80 has been blocked? Is the DNS entry on public DNS servers for remote.waterheadacademy.co.uk resolving to the correct IP address?).

@avonwyss commented on GitHub (Dec 8, 2021): Can you access http://remote.waterheadacademy.co.uk/.well-known/acme-challenge/YYrgraTd4dLkPGpq11Mrnzq3T9bpWshGsXHfwBoPPIs from outside of your network (e.g. over mobile network)? This should give a 404 error since the challenge file has been deleted; if you get a timeout you need to find and fix the timeout so that the challenge file can be checked by the LE servers (Maybe port 80 has been blocked? Is the DNS entry on public DNS servers for remote.waterheadacademy.co.uk resolving to the correct IP address?).

kerem commented

2026-02-26 21:31:26 +03:00

Author

Owner

@jmcd23 commented on GitHub (Dec 8, 2021):

Hi avonwyss, thanks for coming back to me.

Yes, I do get the 404 which is expected as the challenge file has been deleted. I can also confirm it does get created into the directory then is removed suggesting that the AutoACME tool is working. I took a quick copy of one of the challenge files and copied it back to check if I can access that directory over http from outside the network. which i can which suggests that DNS is also correct.

I also created a dummy test file into the location and it displays as expected.
Some examples...

http://remote.waterheadacademy.co.uk/.Well-known/acme-challenge/I23FmdgNfbBsdg0OMeq_EIJ4UOIwKinhLVzeIlwAGnI
http://remote.waterheadacademy.co.uk/.Well-known/acme-challenge/test12345678

There have been no changes to the web server, the firewalls or the ISP (as far as I know) so little stumped.

Anything else to check?

Thanks

@jmcd23 commented on GitHub (Dec 8, 2021): Hi avonwyss, thanks for coming back to me. Yes, I do get the 404 which is expected as the challenge file has been deleted. I can also confirm it does get created into the directory then is removed suggesting that the AutoACME tool is working. I took a quick copy of one of the challenge files and copied it back to check if I can access that directory over http from outside the network. which i can which suggests that DNS is also correct. I also created a dummy test file into the location and it displays as expected. Some examples... http://remote.waterheadacademy.co.uk/.Well-known/acme-challenge/I23FmdgNfbBsdg0OMeq_EIJ4UOIwKinhLVzeIlwAGnI http://remote.waterheadacademy.co.uk/.Well-known/acme-challenge/test12345678 There have been no changes to the web server, the firewalls or the ISP (as far as I know) so little stumped. Anything else to check? Thanks

kerem commented

2026-02-26 21:31:26 +03:00

Author

Owner

@avonwyss commented on GitHub (Dec 8, 2021):

Well I can't access these URLs, so it does not surprise me that LE cannot access it either?

Here's what my DNS resolves to:

nslookup remote.waterheadacademy.co.uk

Non-authoritative answer:
Name:    remote.waterheadacademy.co.uk
Address:  88.98.180.178

And Qualys SSL Labs also cannot connect to your server.
https://www.ssllabs.com/ssltest/analyze.html?d=remote.waterheadacademy.co.uk&hideResults=on&latest

@avonwyss commented on GitHub (Dec 8, 2021): Well I can't access these URLs, so it does not surprise me that LE cannot access it either? ![image](https://user-images.githubusercontent.com/1014766/145198787-4d7b680f-af44-48b4-aad0-85c67da899a2.png) Here's what my DNS resolves to: ``` nslookup remote.waterheadacademy.co.uk Non-authoritative answer: Name: remote.waterheadacademy.co.uk Address: 88.98.180.178 ``` And Qualys SSL Labs also cannot connect to your server. https://www.ssllabs.com/ssltest/analyze.html?d=remote.waterheadacademy.co.uk&hideResults=on&latest

kerem commented

2026-02-26 21:31:26 +03:00

Author

Owner

@jmcd23 commented on GitHub (Dec 8, 2021):

Thanks avonwyss, this is interesting, especially the Qualys discovery.

Google DNS does resolve to the same IP and the content displays ok for me.

So as a test I connected to a VPN and seems I can only access the server from UK sources.

Thank you very much!

@jmcd23 commented on GitHub (Dec 8, 2021): Thanks avonwyss, this is interesting, especially the Qualys discovery. Google DNS does resolve to the same IP and the content displays ok for me. <img width="886" alt="image" src="https://user-images.githubusercontent.com/95723967/145200313-e2ad19a0-8040-4ecb-a45f-f9d736387d96.png"> So as a test I connected to a VPN and seems I can only access the server from UK sources. Thank you very much!

kerem commented

2026-02-26 21:31:27 +03:00

Author

Owner

@avonwyss commented on GitHub (Dec 8, 2021):

You're welcome - I'll close this issue since there is nothing wrong with AutoACME.

@avonwyss commented on GitHub (Dec 8, 2021): You're welcome - I'll close this issue since there is nothing wrong with AutoACME.

kerem referenced this issue

2026-02-26 21:31:33 +03:00

[PR #38] [MERGED] Implements #24 - add chain certificates to CRT file #49

Rows
Columns

[GH-ISSUE #52] Renewal of SSL certificate - Challenge Invalid (timeout during connect - likely firewall problem) #38