System.Net.Http.WinHttpException (80072F8F, 12175): Error 12175 calling WINHTTP_CALLBACK_STATUS_REQUEST_ERROR #2527
-
Hi there. I receive the above error when trying to obtain a certificate with the win-acme client. The details are as followed: [DBUG] [*.my-domain.de] Attempting to create DNS record under abcdefgh-1234-1234-1234-abcdefgh1234.auth.acme-dns.io... I suspect something wrong in the certificate chain of the trusted certificates as I also cannot open the site https://auth.acme-dns.io/register with the preinstalled IE11. It immediately shows a "page cannot be displayed" message. Opening the site with for example Firefox works, returning the expected "method not allowed" message. From what I read so far, others solved the problem by importing the ISRG root certificate to the trusted root certifcate storage. I already did so and restarted the server, but it did not solve the problem. OS: Windows Server 2012R2, running IIS and Exchange 2013 It works on another machine with Windows Server 2016 from the same network. But I want to make it work on the Exchange server, so I can easily update the certificates there. Any help or ideas would be appreciated. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
It might be that the trust chain is ok but it's failing to negotiate a common TLS level and cipher suite, if you use IIS Crypto to check your enabled cipher suites and compare the working machine to the non-working machine you may find you need to enable some of the more modern suites like ECDSA ones. If you don't share a matching set of ciphers between your machine and the acme-dns server then you can't connect. In particular if your 2012 server was an upgrade from Server 2008 a bunch of stuff doesn't work by default, 2012 is also past it's supported end of life but I'm sure you know that. |
Beta Was this translation helpful? Give feedback.
It might be that the trust chain is ok but it's failing to negotiate a common TLS level and cipher suite, if you use IIS Crypto to check your enabled cipher suites and compare the working machine to the non-working machine you may find you need to enable some of the more modern suites like ECDSA ones.
If you don't share a matching set of ciphers between your machine and the acme-dns server then you can't connect. In particular if your 2012 server was an upgrade from Server 2008 a bunch of stuff doesn't work by default, 2012 is also past it's supported end of life but I'm sure you know that.