Authorization failed when running wacs.exe


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: fastpassmanager.goering.de [5.10.178.170]

I ran this command:

[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 200.0.6959.25723 (RELEASE)
[INFO] IIS version 7.5
[INFO] Please report issues at https://github.com/PKISharp/win-acme

N: Create new certificate
M: Create new certificate with advanced options
L: List scheduled renewals
R: Renew scheduled
S: Renew specific
A: Renew all
C: Cancel scheduled renewal
X: Cancel all scheduled renewals
T: (Re)create scheduled task
I: Import scheduled renewals from WACS/LEWS 1.9.x
Q: Quit

Please choose from the menu: n

[INFO] Running in mode: Interactive, Simple

1: Single binding of an IIS site
2: SAN certificate for all bindings of an IIS site
3: SAN certificate for all bindings of multiple IIS sites
4: Manually input host names
C: Cancel

Which kind of certificate would you like to create?: 1

1: fastpassmanager.goering.de (SiteId 2)
C: Cancel

Choose binding: 1

It produced this output:
[INFO] Target generated using plugin IISBinding: fastpassmanager.goering.de
[INFO] Authorize identifier: fastpassmanager.goering.de
[INFO] Authorizing fastpassmanager.goering.de using http-01 validation (SelfHos
ting)
[EROR] Authorization result: invalid
[EROR] Create certificate failed: Authorization failed

My web server is (include version): IIS Server 7.5

The operating system my web server runs on is (include version): Windows Server 2008 R2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes, admin priviliges are provided

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Thanks in advance!


#2

Do they have a support channel?

IIS v7.5 doesn’t support SNI (not sure if this adds to the problem)


#3

Hi @Bancroft

your main configuration is ok ( https://check-your-website.server-daten.de/?q=fastpassmanager.goering.de ):

Domainname Http-Status redirect Sec. G
http://fastpassmanager.goering.de/
5.10.178.170 200 0.077 H
https://fastpassmanager.goering.de/
5.10.178.170 200 1.603 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
http://fastpassmanager.goering.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
5.10.178.170 404 0.103 A
Not Found

Port 80 is open, the critical subdirectory /.well-known/acme-challenge is visible.

But (a standard IIS problem): Are files without extension allowed?

Find your webroot, create the two subdirectories /.well-known/acme-challenge, there a text file (file name 1234) without extension.

Then try to load this file via

http://fastpassmanager.goering.de/.well-known/acme-challenge/1234

#4

PS: If this doesn’t work, you need a config file in /.well-known:

<configuration>
    <system.webServer>
        <staticContent>
            <mimeMap fileExtension="." mimeType="text/plain" />
        </staticContent>
    </system.webServer>
</configuration>

That allows IIS to server files without extension.


#5

Hi,

thanks for the quick response!

I created the subdirectories .wellknown and /acme-challenge and created a textfile without extension. I also added extensionless to the mimetypes.
When acessing the file via localhost directly on the server everything works properly. However, when i try to access the file using faspassmanager.goering.de i get an 404 error.


#6

Did you create these subdirectories in your webroot?

Perhaps

C:\InetPub\wwwroot

but this may be another path?


#7

Yes, the file is currently present under the path
C:\inetpub\wwwroot\well-known\acme-challenge

What i managed to find out is that i currently have to websites:

  1. Default Website
  2. fastpassmanager.goering.de

I added the virtual directory C:\inetpub\wwwroot\well-known with Alias .well-known to the default website and suddenly the file is accessible!

Could this be the problem: That the default website gets triggered instead of the fastpassmanager.goering.de?


#8

You must use the webroot of fastpassmanager, not the default webroot (if you have two webserver).


#9

That should be .well-known
[with a dash]

And this one is missing the “.”


#10

When creating folders that start with a dot…

In some older Windows systems you may have to also include a dot after the folder name.

mkdir c:\inetpub\.well-known.
mkdir c:\inetpub\.well-known\acme-challenge


#11

This isn’t relevant if he creates a virtual directory with C:\inetpub\wwwroot\well-known\acme-challenge as path.


#12

Yes, exactly. I created a virtual directory with C:\inetpub\wwwroot\well-known\acme-challenge.

The file is accessible now with https://fastpassmanager.goering.de/.well-known/acme-challenge/1234

Any ideas on how to progress now?


#13

But not via http. Letsencrypt needs the file via http.

So a http / port 80 binding is required.


#14

Redirect all http to https.
LE will follow the redirection and should find the file in that folder