403 error code-Win-ACME

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: tst2authaemforms.serviceconnect.defence.gov.au

I ran this command: wacs.exe > r

It produced this output:

[tst2authaemforms.serviceconnect.defence.gov.au] Authorizing...
[tst2authaemforms.serviceconnect.defence.gov.au] Authorizing using http-01 validation (SelfHosting)
[tst2authaemforms.serviceconnect.defence.gov.au] Authorization result: invalid
[tst2authaemforms.serviceconnect.defence.gov.au] {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "20.70.4.114: Invalid response from AEM Sign In "\n<html lang=\"en\">\n\n <meta http-equiv=\"content-type\" content=\"text/html; charset=UTF-8\">\n \n <meta n"",
"status": 403

My web server is (include version): IIS

The operating system my web server runs on is (include version): Windows Server 2019

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): n/a

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): n/a

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Win-ACME

Checked firewall, domain is behind Azure Application Gateway. No recent changes. It was working fine earlier.

You're most likely running a non-IIS web server such as Apache, so win-acme's own self hosted HTTP challenge listener cannot share the HTTP (https.sys) pipeline, which it would be able to do if you were using IIS.

To use win-acme self hosted mode (which runs an http listener) you would need to stop your existing web server process (whichever it is, Apache, Apache Tomcat etc) then run win-acme for the renewal, then restart your service.

Hi, we are using IIS, thanks.

Ok, so the next problem would be that the gateway you are using may not be forwarding http requests as http (tcp port 80). win-acme is only listening on TCP port 80, so self-hosting mode won't work.

If you redirect all http /.well-known/acme-challenge/ requests to https before they reach your server then the challenge response file needs to be presented via https instead, so you would need to serve the http challenge response via IIS through the website file system: win-acme

As an aside, obviously I'm the developer of https://certifytheweb.com and if you use that for your certs it should just work, because it will automatically fallback to trying to IIS even if port 80 traffic can't be used etc. If you have tried that and encountered a problem let me know and I'll try to help. I would however advise against trying many different tools and instead just get good at using one of them because then you can just document the process that's being used.

Sure, I will check the application. Does it create pfx as well?

Certify Certificate Manager will create a PFX by default (stored on the machine certificate store) and will also (by default) look for matching IIS sites to apply it to, based on the IIS http/https binding hostname matching the certificate identifiers.

You can additionally export the PFX to other locations using a a deployment task (under Tasks) if you need to use the file directly using an Export Certificate task (which can output PFX or any certificate component files), if you are using IIS Centralized Certificate Store there is also a deployment task for that.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.