Authorization issues

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
quantumprofile.com

I ran this command:
.\wacs.exe --target iissite --siteid 181

It produced this output:
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “During secondary validation: Invalid response from http://www.quantumprofile.com/.well-known/acme-challenge
/eIlw2JFnhBTcGXpSzSD7RrhV5bdCzQt_ZE8HV1DH8Es [198.38.83.28]: “Administrative Quarantine</hea
d><table width=\“100%!\(MISSING)”>

My web server is (include version): IIS 10

The operating system my web server runs on is (include version): Windows 2016

I can login to a root shell on my machine (yes or no, or I don’t know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 2.1.5

We experience issues with SSL validation and we are behind firewall where lots of IPs are blocked and I’m pretty sure that this is what is the issue here. Is there any way to provide me with the IPs currently used for validation? We need to check our logs why this IPs got blocked on the firewall and make sure that this won’t happen again.

Thank you!

Hi @martinchako

Letsencrypt uses - new - multiple systems to validate your domain.

Read

Your error: The Letsencrypt servers can connect your server. These additional servers can't.

So allow that if you want to use http validation.

Hello,

Thanks for the quick response!

The error message looks like the one we have one our firewall when IP is blocked and for this reason I thought that IP used for validation can be blocked.

Just to make sure that I understand correctly. We need to make request form this form:

am I correct?

Hello,

The error message looks like the one we have one our firewall when IP is blocked and for this reason I thought that IP used for validation can be blocked.

Do you mean that our IPs are blocked and we need to fill the form at:

403 usually means "authentication required".

Not sure what this means, nor how to allow.
But definitely, the problem is within your server and within your control.

no. exceptions will expire in June anyhow.

you need to allow all IPs or move to dns-01 validation.

Don't block ip addresses. That's wrong if you want to use http validation.

I agree with you but we have complex network and we need an IP to check what was causing the block so that we can fix it. I’m not talking about one server trying to make validation. We have lots of servers but since we cannot determine the IP of the server which makes the validation request or at least the ptr record of the IP so that we can find the ip in the list of the blocked IPs.

they will change without notice.

you should allow all or seriously think about switching to dns validation.

Ok, let them change it. I need to see why the IP in question is blocked now so that when then change it we will not block it again.

well, currently it’s from AWS. but don’t count on this. it might validate from anywhere.

read here:

I understand that. I need the IP. When I have the IP i will check our logs and see why that IP is blocked and when I see why this IP is blocked I will fix the issue. It’s simple but unfortunately we are going nowhere here…

nobody knows the IP.

and who knows isn’t telling.

check if you can use dns-01, it will solve this problem.

Great.

Please close this one.