I have an infrastructure with three IIS servers:
IIS Server 1 – Hosts the ACME URL server.
IIS Server 2– Configured with URL Rewrite to forward requests to the ACME server (Server 1).
IIS Server 3 – Hosts the target site where certificate renewal is required, with URL Rewrite pointing to Server 2.
When I attempt to register my account, I encounter the following error:
“Failed to register account with certificate authority: An error occurred while sending the request.”
Hi,
Thanks, you have mentioned a few things about rewrites etc but what we really need to know is what you are specifically looking to achieve, with example domain names for each server etc.
There are many ways to configure how renewals work, so really we’d need to know what your actual scenario is, not (yet) how your servers might be configured to achieve that.
Unless you are load balancing the same domain/subdomain across multiple servers the simplest thing to do is install the app on each server and configure for each site.
Where you have complex requirements for multi server renewals and http domain validation isn’t going to work we would suggest using DNS domain validation instead.
It is possible to use multiple server and have them participate in serving challenge responses but you’d need shared storage that instantly syncs across all servers, so they all give the same http response when queried.
If using HTTP domain validation only and you have decided you only want one server to be answering the challenges you can use a web application firewall to server all /,well-known/acme-challenge responses from one server, then use the IIS CCS feature to deploy renewed certificates to any/all servers.
You could redirect using URL rewrite but that means falling back to serving http challenge responses via IIS, rather than the built in HTTP challenge response listener (on TCP port 80).
Regarding your error “Failed to register account…” that sounds like the machine running Certify can’t talk to the ACME CA (e.g. Let’s Encrypt). For public CAs you generally need to allowing outgoing https. If you are not specifically blocking communication, which CA are you trying to use and what version of Windows are you using.
I have lab where I have configured multiple layers: first, the IIS ACME Server site is deployed. Then, a Load Balancer routes traffic to a second IIS Server where the ACME URL site is deployed and rewritten to the ACME Server. Finally, there is a third IIS Server hosting the site where the certificate renewal needs to be performed, and it communicates with the second IIS Server