Can't get TLS certificate for my domain NET 8.0 C#

I have a problem with certificate creation.
I'm trying to get my own TLS certificate via NET 8.0 and Certes library.
You can check my ACME manager code here: SignEdgeService/SignEdgeService/ACMEService.cs at main · HappyHakunaMatata/SignEdgeService · GitHub
So I validated my domain using dns challenge. Everything is working (Let's Debug)
Http challenge doesn't work for me. My web is unreachable for http validation for no reason.
I have tried to create token and *txt file and It was reachable by this link http://peer.littlemozzarella.com/.well-known/acme-challenge/some_cool_token_here_1, and I can download .txt file.
I have to use HTTP protocol, right ? not HTTPS or FTP ? More other you can see that http:// is reachable.

When I tried to download certificate the first exception was:
Certes.AcmeException: Can not find issuer 'C=US,O=(STAGING) Internet Security Research Group,CN=(STAGING) Pretend Pear X1' for certificate 'C=US,O=(STAGING) Internet Security Research Group,CN=(STAGING) Bogus Broccoli X2'.
at Certes.Pkcs.CertificateStore.GetIssuers(Byte der)
at Certes.CertificateChainExtensions.ToPem(CertificateChain certificateChain, IKey certKey)
at SignEdgeService.ACMEService.DownloadCertificate() in /src/SignEdgeService/ACMEService.cs:line 515
Can not find issuer 'C=US,O=(STAGING) Internet Security Research Group,CN=(STAGING) Pretend Pear X1' for certificate 'C=US,O=(STAGING) Internet Security Research Group,CN=(STAGING) Bogus Broccoli X2'.
The second one I got:
Certes.AcmeException: Can not finalize order with status 'Valid'.
at Certes.IOrderContextExtensions.Generate(IOrderContext context, CsrInfo csr, IKey key, String preferredChain, Int32 retryCount)
at SignEdgeService.ACMEService.DownloadCertificate() in /Users/user/Projects/SignEdgeService/SignEdgeService/ACMEService.cs:line 451
Can not finalize order with status 'Valid'. Actually I got this exception before.

My domain is: littlemozzarella.com

I ran this command: DownloadCertificate function

My web server is (include version): Kerstel

The operating system my web server runs on is (include version): AWS ubuntu-jammy-22.04

My hosting provider, if applicable, is: AWS, Godaddy

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certes 3.0.4

I don't have much input, except that the IP address 13.51.46.167 is NOT reachable on port 80 from my perspective. It just times out.

Further more:

This suggests you have the staging environment set up for some reason, probably due to the usage of WellKnownServers.LetsEncryptStagingV2 (twice). Using the staging environment should be fine for testing purposes. I don't know why Certes is complaining about it.. It's to be expected that the issuer for the staging certificate can't be found. Maybe ask the developer of Certes what the proper usage of the staging environment is?

The other exception I don't know.

Certes needs to know the root issuer certificate before it can build a valid PFX. It embeds a couple of well known roots (ISRG Root X1 etc) as a resource but for other roots you need to feed them into pfxBuilder.AddIssuers: Can not find issuer 'C=US,O=(STAGING) Internet Security Research Group,CN=(STAGING) Doctored Durian Root CA X3' for certificate 'C=US,O=(STAGING) Internet Security Research Group,CN=(STAGING) Pretend Pear X1'. · Issue #253 · fszlin/certes · GitHub before calling the build.

Please also try to keep the same discussion on one thread, this is all pretty much the same question: Generate certificate troubleshooting .NET - #9 by littlemozzarella

Actually I fix my problem, I don't have to use this
WellKnownServers.LetsEncryptStagingV2
I have to use this instead
WellKnownServers.LetsEncryptV2
If I would like to use WellKnownServers.LetsEncryptStagingV2 do not try to call ToPem function of the result await Order.Generate(csr, privateKey); You can get certificate via filed Certificate and Issuers.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.