Acme Challenge, not working

I am using Windows IIS, method is standlone http server
I am able to access my site outside my network


1 Like
"detail": "Invalid response from http://access.******.net/.well-known/acme-challenge/mAuQnObGvissQ6jkO8zUTPm1mLoTHhlhUU-kztdAZd8 [**.**.***.109]: \"\u003c!DOCTYPE html PUBLIC \\\"-//W3C//DTD XHTML 1.0 Strict//EN\\\" \\\"\\\"\u003e\\r\\n\u003chtml xmlns=\\\"http\"",
"status": 403

It seems your site required authentication.
You need to exclude the /.well-known/acme-challenge/ folder from any such authentication requirement.

1 Like

What does the HTTP vhost config for that site look like?


it’s set to everyone all permissions

I see:




Hi @manjotsc

please don’t edit that general file.

You have to set the permissions in your website configuration.

1 Like

It’s still giving same error.

That's expected.

There is a running webserver -

Domainname Http-Status redirect Sec. G GZip used - 319 / 359 - 11,14 % 200 Html is minified: 107,81 % 0.263 H -14 10.046 T
Timeout - The operation has timed out Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 1/4 404 Html is minified: 209,24 % 0.263 A
Not Found

So use that running webserver instead of standalone.

1 Like

You mean the method? I am confused. Sorry about that.

Please read

Then something about Challenge Types:

Your menu shows a lot of different options. But it's impossible to say "use that method".

1 Like

Probably… “webroot local folder” method should work.

that also, didn’t work, i just used manual dns.

DNS authentication is always a good and valid option.
That said, you should at least try to understand why it failed and if that presents any kind of a “production problem”.
It should have failed for only one of two reasons:

  • firewall blocking inbound ports (not likely - you would have seen related problems)
  • the webroot used didn’t line up with the /.well-known/acme-challenge/ request

In either case you still have a “problem”…
If “a”, then service will be less than expected/interrupted/or fully broken.
If “b”, then you may be serving an unknown path via the /.well-known/acme-challenge/ folder requests; which may inadvertently expose those contents to the Internet.
Or maybe “c”, something not yet covered…

1 Like

Quality control at its’ finest:

That should teach me to get it right the first time! - LOL


It worked with “Standalone TLS-ALPN Server” method. Now I Tried to obtain certificate another site same configuration, running on same server, it’s giving “verify error:connection reset by peer

Is it possible that when you first did it, there was no HTTPS server on the machine, but now there is?

The “standalone” methods normally assume that there is no other program listening on port 443. So they’re suitable for use on a machine with no HTTPS listener, or one where you temporarily shut down the other software that uses port 443 while getting your new certificate.

I changed the port on previous web server, from 443 to 4433 and this is running on 443,

I used the “socat[32317] E bind(5, {LEN=0 AF=2}, 16): Address already in use” I am getting this bind error.

can you show which service is already on :80?
netstat -pant | grep 80

And the full command you ran that produced that error.