ACME server feiled, but webserver say 200 OK

Please fill out the fields below so we can help you better.

My domain is: www.sankthansfjellet.no

I ran this command: letsencrypt.exe

It produced this output:
The ACME server was probably unable to reach http://www.sankthansfjellet.no/.well-known/acme-challenge/xxxxxxxx

My web server is (include version): IIS 8.5

The operating system my web server runs on is (include version): Windows Server 2016

My hosting provider, if applicable, is: Self serviced

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

  1. I can access the acme-challenge file from outside the server and firewall.
  2. I see a his in the logfile from letsencrypt
    "2017-08-04 10:50:09 213.162.246.137 GET /.well-known/acme-challenge/FS95YFp9n6id2wE_KIEN9KR5hN8b5fjFuGOipT25cXs - 80 - 64.78.149.164 Mozilla/5.0+(compatible;+Let’s+Encrypt+validation+server;++https://www.letsencrypt.org) - 200 0 0 160"

3)The error I get is simular to when the server cannot find the file. Ex.
“The ACME server was probably unable to reach http://www.sankthansfjellet.no/.well-known/acme-challenge/FS95YFp9n6id2wE_KIEN9KR5hN8b5fjFuGOipT25cXs

Best regards
Vidar

Could you post the full command you used, and the full output from that command? There are a lot more pieces of information in there that the community would need in order to point you in the right direction.

Hi @vidarm,

I experience the exact same issue!

My domain is: corbulocollege.nl
and another hostname I use is: www.corbulocollege.nl

I ran this command: \LetsEncryptSimple\letsencrypt.exe --san --test
and: \LetsEncryptSimple\letsencrypt.exe --san

It produced this output:
"The ACME server was probably unable to reach http://corbulocollege.nl/.well-known/acme-challenge/TSbBYwPm04Ho7LbK5SbsMuhqP8vGnK4qcNPptbZmLtg
and:
The ACME server was probably unable to reach http://www.corbulocollege.nl/.well-known/acme-challenge/NpFGNc8Q2ABvusIEDX4rml9PPfCUMA2qQOHodCaBSXg

Check in a browser to see if the answer file is being served correctly.

This could be caused by IIS not being setup to handle extensionless static
files. Here’s how to fix that:

  1. In IIS manager goto Site/Server->Handler Mappings->View Ordered List
  2. Move the StaticFile mapping above the ExtensionlessUrlHandler mappings.
    (like this http://i.stack.imgur.com/nkvrL.png)
  3. If you need to make changes to your web.config file, update the one
    at C:\scripts\LetsEncrypt\LetsEncryptSimple\web_config.xml"

My web server is (include version): MS IIS 10.0

The operating system my web server runs on is (include version): Windows Server 2016 Standard

My hosting provider, if applicable, is: Self serviced

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

I can access the acme-challenge file from outside the server and firewall.
I see 2 hits in the IIS logfiles (for each hostname in the san):
2017-08-06 13:18:12 2a01:7c8:fffd:57d::1 GET /.well-known/acme-challenge/NpFGNc8Q2ABvusIEDX4rml9PPfCUMA2qQOHodCaBSXg - 80 - 2600:3000:2710:300::1d Mozilla/5.0+(compatible;+Let’s+Encrypt+validation+server;++https://www.letsencrypt.org) - 200 0 0 151

2017-08-06 13:18:17 2a01:7c8:fffd:57d::1 GET /.well-known/acme-challenge/TSbBYwPm04Ho7LbK5SbsMuhqP8vGnK4qcNPptbZmLtg - 80 - 2a01:7c8:ba1a:ffff::2 Mozilla/5.0+(compatible;+Let’s+Encrypt+validation+server;++https://www.letsencrypt.org) - 200 0 0 59

  1. When I request a SAN certificate for a different domain on the exact same IIS web (and same webroot directory) the certificate is issued and installed without any errors/problems. So it seems that the problem is specificly for this domain.
    Can it be so that the domain name is stuck in a rate limit problem? Does letsencrypt use a blacklist? If so, is my domain on it and why? How can I release it again?

Thanks for any help or knowledge that’s provided to me!
TC

I think this is a client bug at least in terms of not correctly reporting the underlying error.

Maybe someone can post an issue at

Also, @cpu, can you confirm the underlying reason from the CA side that these certificates failed to issue? Then maybe we can understand what error condition it is that letsencrypt-win-simple isn’t telling the users about.

1 Like

Hi Guys!

Jared, my exact command is only letsencrypt.exe, then I choose my website from the list.

RedFeet, I have moved my static file up. And I am able to browse to the file. No problem. I even see the letsencrypt server accessing the site and my file, and the result from the access is 200 OK, so it seems to be able to read the file.

Is there a way to get more out of the logs?

Rgs
Vidar

Hi @vidarm,

The reason you aren’t able to issue for this domain is because your authoritative namesever is returning SERVFAIL for CAA queries. It looks like your nameservers are being handled by prosmysdomain.no (perhaps?) and you should open a ticket with them. Please refer to our CAA documentation for more information. There is also lots of information in the forum available about CAA and SERVFAILs responses.

Unfortunately ACMESharp is not showing users the true failure cause. There’s an open issue: https://github.com/ebekker/ACMESharp/issues/267 about this failure that my colleague @jsha opened when someone else encountered a similar CAA error with ACMESharp.

Hi @Redfeet,

Your error is similar but not identical to @vidarm's. In your case corbulocollege.nl has CAA records that don't authorize Let's Encrypt to issue:

"CAA record for www.corbulocollege.nl prevents issuance"

I can verify this with dig from my network:

0 iodef "mailto:abuse@esloo.nl"
0 issue "comodoca.com"
0 issue "geotrust.com"

Only Comodo and GeoTrust are authorized to issue for this domain. You should regenerate the CAA records using SSLMate's CAA record generator and ensure that Let's Encrypt is also selected.

Again ACMESharp is not showing you the true failure cause. There’s an open issue: Show more detail on failed authorizations · Issue #267 · ebekker/ACMESharp · GitHub about this and I encourage you to comment on that issue to describe how it could have saved you some troubleshooting headache :slight_smile:

1 Like

Thanks @cpu and @schoen!

That means that my conclusion that it was a domainname-related issue, was correct…
I have asked the people that maintain the DNS to add a CAA-record with: 0 issue "letsencrypt.org"
Once that has been done, I hope to see that the cert gets renewed (automatically).

I will comment on https://github.com/ebekker/ACMESharp/issues/267 and provide this example. It indeed cost me numerous hours…

1 Like

The certs were automatically renewed as they should!
Thanks again @cpu for pointing me in the right direction!

and they lived happily ever after

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.