403 error trying to make new cert in win-acme

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bulgier.com

I ran this command: wacs.exe

It produced this output:
Authorizing using http-01 validation (SelfHosting)
Authorization result: invalid
{
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "97.113.42.253: Invalid response from http://bulgier.com/.well-known/acme-challenge/oCHCq0j80m5jhHjApz7WPSL3cPwLtt0gC38cARvTAp8: 403",
"status": 403

My web server is (include version): IIS 8.0.9200.16384

The operating system my web server runs on is (include version): Windows server 2012 build 9200

My hosting provider, if applicable, is: none

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Win-Acme 2.1.20.1185 (release, trimmed, standalone, 64-bit)

Win-acme didn't create the .well-known folder, so I created it manually, and the acme-challenge subfolder.
I created a test file in acme-challenge and I can access it from the web, via http or https.

Grateful for any advice!

1 Like

Hi @bulgie, and welcome to the LE community forum :slight_smile:

This generally means authentication required.
The challenge path should never require authentication.
That said, I see that you might have already made some progress in that direction:

curl -Ii http://bulgier.com/.well-known/acme-challenge/oCHCq0j80m5jhHjApz7WPSL3cPwLtt0gC38cARvTAp8
HTTP/1.1 404 Not Found
Content-Length: 1245
Content-Type: text/html
Server: Microsoft-IIS/8.0
Date: Fri, 29 Apr 2022 01:14:28 GMT

Now it returns 404, which is to be expected when a file is not found.

3 Likes

I don't think I've made any progress, it's still doing the same thing (I keep trying...). I don't see any evidence that the challenge file ever gets created. The file I put there ("test-file.txt") is accessible from the web, so I believe the challenge file would be accessible too, if it existed.

I'm not familiar with Win-ACME, so I won't be able to speak from experience there.
My first thought is to find and go through any logs it might have created - looking for errors and clues.
My second thought is to try another client.
Lastly is to review the IIS configuration and ensure the client isn't being confused as to where the site is being served from.

3 Likes

Can you try a test file without an extension? That can be problematic in IIS

See this thread for more details

I know acme clients like Certify The Web would handle that. I don't know wacs well enough to say.

4 Likes

This part means win-acme is trying to be the web server for the http challenge response on port 80. It starts an http listener in front of IIS and should only respond with either the correct response or a 404. In this case it seems like the http listener is not managing to bind properly and the request is falling through to IIS. I'd just suggest restarting the machine. https://certifytheweb.com (the app I develop) works in very much the same way and occasionally some systems do have trouble with this listener approach.

Also make sure you're running the command as an administrator (non-admins can't run a process that listens on port 80 unless a specific ACL has been granted).

3 Likes