I am using Windows IIS, method is standlone http server
I am able to access my site outside my network
1 Like
"detail": "Invalid response from http://access.******.net/.well-known/acme-challenge/mAuQnObGvissQ6jkO8zUTPm1mLoTHhlhUU-kztdAZd8 [**.**.***.109]: \"\u003c!DOCTYPE html PUBLIC \\\"-//W3C//DTD XHTML 1.0 Strict//EN\\\" \\\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\\\"\u003e\\r\\n\u003chtml xmlns=\\\"http\"",
"status": 403
It seems your site required authentication.
You need to exclude the /.well-known/acme-challenge/ folder from any such authentication requirement.
1 Like
What does the HTTP vhost config for that site look like?
it’s set to everyone all permissions
I see:
name="StaticFile"
path="*"
verb="*"
modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule"
requireAccess="Read"
Try:
requireAccess="None"
Hi @manjotsc
please don’t edit that general file.
You have to set the permissions in your website configuration.
1 Like
That's expected.
There is a running webserver - https://check-your-website.server-daten.de/?q=access.manjot.net
| Domainname | Http-Status | redirect | Sec. | G |
|---|---|---|---|---|
| • http://access.manjot.net/ 45.73.127.109 GZip used - 319 / 359 - 11,14 % | 200 | Html is minified: 107,81 % | 0.263 | H |
| • https://access.manjot.net/ 45.73.127.109 | -14 | 10.046 | T | |
| Timeout - The operation has timed out | ||||
| • http://access.manjot.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 45.73.127.109 Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 1/4 | 404 | Html is minified: 209,24 % | 0.263 | A |
| Not Found |
So use that running webserver instead of standalone.
1 Like
Please read
Then something about Challenge Types:
Your menu shows a lot of different options. But it's impossible to say "use that method".
1 Like
Probably… “webroot local folder” method should work.
that also, didn’t work, i just used manual dns.
DNS authentication is always a good and valid option.
That said, you should at least try to understand why it failed and if that presents any kind of a “production problem”.
It should have failed for only one of two reasons:
- firewall blocking inbound ports (not likely - you would have seen related problems)
- the
webrootused didn’t line up with the/.well-known/acme-challenge/request
In either case you still have a “problem”…
If “a”, then service will be less than expected/interrupted/or fully broken.
If “b”, then you may be serving an unknown path via the /.well-known/acme-challenge/ folder requests; which may inadvertently expose those contents to the Internet.
Or maybe “c”, something not yet covered…
1 Like
Quality control at its’ finest:
That should teach me to get it right the first time! - LOL
2 Likes
It worked with “Standalone TLS-ALPN Server” method. Now I Tried to obtain certificate another site same configuration, running on same server, it’s giving “verify error:connection reset by peer”
Is it possible that when you first did it, there was no HTTPS server on the machine, but now there is?
The “standalone” methods normally assume that there is no other program listening on port 443. So they’re suitable for use on a machine with no HTTPS listener, or one where you temporarily shut down the other software that uses port 443 while getting your new certificate.
I changed the port on previous web server, from 443 to 4433 and this is running on 443,
I used the “socat[32317] E bind(5, {LEN=0 AF=2 0.0.0.0:80}, 16): Address already in use” I am getting this 0.0.0.0:80 bind error.
can you show which service is already on :80?
netstat -pant | grep 80
And the full command you ran that produced that error.