Azure LetsEncrypt Unauthorized issue

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ppdportalweb.mygphc.org

I ran this command: Azure LetsEncrypt

It produced this output: The Lets Encrypt ACME server was probably unable to reach http://ppdportalweb.mygphc.org/.well-known/acme-challenge/EJZ5LS0Lui8Cpl_eYxG0y9pJ9AXaIWNFjlUVzQu720s view error report from Lets Encrypt at https://acme-v01.api.letsencrypt.org/acme/authz-v3/163749609 for more information*

Entire StackTrace

[Exception: The Lets Encrypt ACME server was probably unable to reach http://ppdportalweb.mygphc.org/.well-known/acme-challenge/EJZ5LS0Lui8Cpl_eYxG0y9pJ9AXaIWNFjlUVzQu720s view error report from Lets Encrypt at https://acme-v01.api.letsencrypt.org/acme/authz-v3/163749609 for more information]
LetsEncrypt.Azure.Core.Services.d__5.MoveNext() in D:\a\1\s\LetsEncrypt.SiteExtension.Core\Services\BaseHttpAuthorizationChallengeProvider.cs:121
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +26
LetsEncrypt.Azure.Core.Services.d__5.MoveNext() in D:\a\1\s\LetsEncrypt.SiteExtension.Core\Services\BaseHttpAuthorizationChallengeProvider.cs:131
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +99
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
LetsEncrypt.Azure.Core.Services.d__5.MoveNext() in D:\a\1\s\LetsEncrypt.SiteExtension.Core\Services\AcmeService.cs:44
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +99
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
LetsEncrypt.Azure.Core.d__16.MoveNext() in D:\a\1\s\LetsEncrypt.SiteExtension.Core\CertificateManager.cs:231
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +99
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
LetsEncrypt.Azure.Core.d__17.MoveNext() in D:\a\1\s\LetsEncrypt.SiteExtension.Core\CertificateManager.cs:244
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +99
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
LetsEncrypt.SiteExtension.Controllers.d__7.MoveNext() in D:\a\1\s\LetsEncrypt-SiteExtension\Controllers\HomeController.cs:250
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +99
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
System.Web.Mvc.Async.TaskAsyncActionDescriptor.EndExecute(IAsyncResult asyncResult) +97
System.Web.Mvc.Async.<>c__DisplayClass8_0.b__1(IAsyncResult asyncResult) +17
System.Web.Mvc.Async.WrappedAsyncResult1.CallEndDelegate(IAsyncResult asyncResult) +10 System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +48
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +32
System.Web.Mvc.Async.<>c__DisplayClass11_0.b__0() +58
System.Web.Mvc.Async.<>c__DisplayClass11_2.b__2() +228
System.Web.Mvc.Async.<>c__DisplayClass7_0.b__1(IAsyncResult asyncResult) +10
System.Web.Mvc.Async.WrappedAsyncResult1.CallEndDelegate(IAsyncResult asyncResult) +10 System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +48
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +34
System.Web.Mvc.Async.<>c__DisplayClass3_6.b__4() +35
System.Web.Mvc.Async.<>c__DisplayClass3_1.b__1(IAsyncResult asyncResult) +100
System.Web.Mvc.Async.WrappedAsyncResult1.CallEndDelegate(IAsyncResult asyncResult) +10 System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +48
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +27
System.Web.Mvc.<>c.b__152_1(IAsyncResult asyncResult, ExecuteCoreState innerState) +11
System.Web.Mvc.Async.WrappedAsyncVoid1.CallEndDelegate(IAsyncResult asyncResult) +29 System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +48
System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +45
System.Web.Mvc.<>c.b__151_2(IAsyncResult asyncResult, Controller controller) +13
System.Web.Mvc.Async.WrappedAsyncVoid1.CallEndDelegate(IAsyncResult asyncResult) +22 System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +48
System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +26
System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10
System.Web.Mvc.<>c.b__20_1(IAsyncResult asyncResult, ProcessRequestState innerState) +28
System.Web.Mvc.Async.WrappedAsyncVoid1.CallEndDelegate(IAsyncResult asyncResult) +29 System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +48
System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +28
System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
System.Web.CallHandlerExecutionStep.InvokeEndHandler(IAsyncResult ar) +152
System.Web.CallHandlerExecutionStep.OnAsyncHandlerCompletion(IAsyncResult ar) +126

My web server is (include version): Azure App Service

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Hi @rohitiscancerian

I don't know how that client works.

But there is one curious thing.

Your order url - ppdportalweb.mygphc.org

Invalid response from 
http://ppdportalweb.mygphc.org/.well-known/acme-challenge/EJZ5LS0Lui8Cpl_eYxG0y9pJ9AXaIWNFjlUVzQu720s 
[13.74.41.233]

says: Letsencrypt checks the http version.

But checking your domain via https://check-your-website.server-daten.de/?q=ppdportalweb.mygphc.org there is a redirect http + /.well-known/acme-challenge/random-filename -> https + /.well-known/acme-challenge/random-filename

Looks that this client adds a temporary redirect (like Certbot with --apache or --nginx), so the http version is checked.

But if Certbot doesn't work with that authenticator, normally the configuration is wrong (duplicated vHosts etc.). Or that client is buggy our too old and doesn't understand your configuration.

You use the v1 version. Isn't there a v2 client you can use? Or an update?

In https://acme-v01.api.letsencrypt.org/acme/authz-v3/163749609 you can see the HTML coming back from the web server showing that the client failed to satisfy the challenge (though I’m also not familiar with this client and don’t know why that would be).

Thanks for the response. Azure LetsEncrypt is an extension available on Azure portal to interact with LetsEncrypt to generate Ssl certs and there is only one version as of now and hopefully the latest one. I have been able to successfully get this to work on another Azure website but this one for some reason is failing due to unauthorized error and I am not able to guess what may cause it as both websites are on the same resource group and subscription.

It seems like you’ll need to find someone who can offer support specifically for the Azure LetsEncrypt extension, since it seems not to be doing the right thing here in the context of your configuration. (One possibility might be that the server for this domain is configured to proxy or rewrite URLs in a way that your server for the other domain isn’t, but that’s just a guess based on problems that people have had with the equivalent functionality in clients like Certbot.) Alternatively, you might want to try a different Let’s Encrypt client, although that might not be worth it if Azure LetsEncrypt is especially well-integrated into your environment.

You were right. There were rewrites on this application config. It worked after I took them off.

If you need them, it’s usually fine to have them—you just need to make sure that they don’t apply to URL paths beginning with /.well-known/, so you may need to create an exception.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.