Can't renew, can't create new

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: tower.nsc.aero

I ran this command: .\LetsEncrypt.exe --verbose

It produced this output:
PS C:\letsencrypt-win-simple> .\LetsEncrypt.exe --test

[INFO] A Simple ACME Client for Windows (WACS)
[INFO] Software version 1912.0.6839.16705 (RELEASE)
[INFO] IIS version 8.5
[INFO] ACME server https://acme-staging.api.letsencrypt.org/
[INFO] Please report issues at https://github.com/PKISharp/win-acme

N: Create new certificate
M: Create new certificate with advanced options
L: List scheduled renewals
R: Renew scheduled
S: Renew specific
A: Renew all
V: Revoke certificate
C: Cancel scheduled renewal
X: Cancel all scheduled renewals
Q: Quit

Please choose from the menu: n

[INFO] Running in Simple mode

1: Single binding of an IIS site
2: SAN certificate for all bindings of an IIS site
3: SAN certificate for all bindings of multiple IIS sites
4: Manually input host names
C: Cancel

Which kind of certificate would you like to create?: 4

Enter comma-separated list of host names, starting with the primary one: tower.nsc.aero,tower.tillamookuas.com

[INFO] Plugin Manual generated target [Manual] [2 bindings - tower.nsc.aero, …]

1: Default Web Site
1438491208: WSUS Administration

Choose site to create new bindings: 1

Enter an email address (not public, used for renewal fail notices): billsey@nsc.aero

Do you agree to https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf? (y/n): - yes

[INFO] Authorize identifier: tower.nsc.aero
[INFO] Authorizing tower.nsc.aero using http-01 validation (SelfHosting)
[INFO] Answer should now be browsable at http://tower.nsc.aero/.well-known/acme-challenge/TL456xPusbhTKHk8jTVKcsDp1LBDYhR6_7kU-xYdlG4

[–test] Try in default browser? (y/n): - yes

Press enter to continue…
[EROR] Authorization result: invalid
[INFO] Authorize identifier: tower.tillamookuas.com
[INFO] Authorizing tower.tillamookuas.com using http-01 validation (SelfHosting)
[INFO] Answer should now be browsable at http://tower.tillamookuas.com/.well-known/acme-challenge/ORVSibvKHCZ34Gi_c8Xr-BqCJiNqbfcLla-0Mdy3_x4

[–test] Try in default browser? (y/n): - no

[EROR] Authorization result: invalid
[EROR] ACME server reported:
[EROR] [type] urn:acme:error:connection
[EROR] [detail] Fetching http://tower.nsc.aero/.well-known/acme-challenge/TL456xPusbhTKHk8jTVKcsDp1LBDYhR6_7kU-xYdlG4: Timeout during connect (likely firewall
problem)
[EROR] [status] 400
[EROR] Create certificate failed

My web server is (include version): IIS 8

The operating system my web server runs on is (include version): Windows Server 2012 R2

My hosting provider, if applicable, is: Local to the server

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I first tried the normal renew process using PKISharp. It failed with Authorization-Result: Invalid. It looks as if PKISharp Win-acme isn’t creating the .well-known files. I have files there from previous updates but none from the current. I next tried removing the queued updates and started over from the beginning. As you can see, same problem. :frowning:

2

I can’t connect to http://tower.nsc.aero/ (or http://tower.tillamookuas.com/, which has the same IP) from my location.

Is there a firewall blocking everything, or some countries, or something?

3

There isn’t anything blocking that I’m aware of. I believe there’s no listener on http, only https though.

4

Unfortunately, let’s Encrypt validation server will only connects to http (port 80) first, then accept any redirection to other ports or domain.

If there are no listener for port 80, you must create one and configture it correctly in nrder to pass http-01 validation.

P.S. you could just make a simple redirection virtual host which would redirect all http traffic to the prospective https site.

Thank you

5

Hi @billsey

additional:

Check your IIS.8 - bindings. There is a working https - binding, so add there a http - binding / port 80.

There are redirects -> /remote and -> /remote/logon, so it's better you don't add a redirect http -> https, if you don't exclude /.well-known/acme-challenge/.

Create the directory /.well-known/acme-challenge and there a file (file name 1234 without extension).

Perhaps it's possible you can't load that file via browser.

Then add in your web.config - file (in /.well-known/) something like

<configuration>
    <system.webServer>
        <staticContent>
            <mimeMap fileExtension="." mimeType="text/plain" />
        </staticContent>
    </system.webServer>
</configuration>

to allow files without extension. If you don't have such a mimeType, Letscencrypt can't get the file.

6

It turns out I was wrong, I do have bindings for both 80 and 443 on that site. I had to jump through a couple of hoops to make the web.config change, ownership was trustedinstaller and other accounts weren’t given any write permissions. With the mimeMap fileExtension entry added I get this:

Choose site to create new bindings: 1

[DBUG] Loading signer from C:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\Signer
[DBUG] Getting AcmeServerDirectory
[DBUG] Send GET request to https://acme-v01.api.letsencrypt.org/directory
[DBUG] Loading registration from C:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\Registration
[INFO] Authorize identifier: tower.nsc.aero
[DBUG] Send POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz
[INFO] Authorizing tower.nsc.aero using http-01 validation (SelfHosting)
[INFO] Answer should now be browsable at http://tower.nsc.aero/.well-known/acme-challenge/R6oJKTu1pEDaVPl9hZ3c_6AcIVOGZQ6V1c3EWcQkwto
[DBUG] Submitting answer
[DBUG] Send POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/cwigULCWGX2Phvz_gwJK8iHa-1o13dJCWVGeBoWFyg0/7950606654
[DBUG] Refreshing authorization
[DBUG] Send GET request to https://acme-v01.api.letsencrypt.org/acme/authz/cwigULCWGX2Phvz_gwJK8iHa-1o13dJCWVGeBoWFyg0
[DBUG] Refreshing authorization
[DBUG] Send GET request to https://acme-v01.api.letsencrypt.org/acme/authz/cwigULCWGX2Phvz_gwJK8iHa-1o13dJCWVGeBoWFyg0
[DBUG] Refreshing authorization
[DBUG] Send GET request to https://acme-v01.api.letsencrypt.org/acme/authz/cwigULCWGX2Phvz_gwJK8iHa-1o13dJCWVGeBoWFyg0
[EROR] Authorization result: invalid
[DBUG] Deleting answer
[INFO] Authorize identifier: tower.tillamookuas.com
[DBUG] Send POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz
[INFO] Authorizing tower.tillamookuas.com using http-01 validation (SelfHosting)
[INFO] Answer should now be browsable at http://tower.tillamookuas.com/.well-known/acme-challenge/D64IRhMGOeAqbtNyKWmxHEbuJd8spZJZHCAbi4Ed3yE
[DBUG] Submitting answer
[DBUG] Send POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/yK4_B-Ds5tMLIuWHiN3PmpTdh7LjJes6GFpNH2BhWXk/7950613272
[DBUG] Refreshing authorization
[DBUG] Send GET request to https://acme-v01.api.letsencrypt.org/acme/authz/yK4_B-Ds5tMLIuWHiN3PmpTdh7LjJes6GFpNH2BhWXk
[DBUG] Refreshing authorization
[DBUG] Send GET request to https://acme-v01.api.letsencrypt.org/acme/authz/yK4_B-Ds5tMLIuWHiN3PmpTdh7LjJes6GFpNH2BhWXk
[DBUG] Refreshing authorization
[DBUG] Send GET request to https://acme-v01.api.letsencrypt.org/acme/authz/yK4_B-Ds5tMLIuWHiN3PmpTdh7LjJes6GFpNH2BhWXk
[EROR] Authorization result: invalid
[DBUG] Deleting answer
[EROR] ACME server reported:
[EROR] [type] urn:acme:error:connection
[EROR] [detail] Fetching http://tower.nsc.aero/.well-known/acme-challenge/R6oJKTu1pEDaVPl9hZ3c_6AcIVOGZQ6V1c3EWcQkwto: Timeout during connect (likely firewall
roblem)
[EROR] [status] 400
[EROR] Create certificate failed

And the acme-challenge folder still doesn’t have any new files in it. There’s got to be a permissions issue with writing those files so the letsencrypt.org server can see them. I suppose if I could anticipate the filesnames and contents I could manually create them, but that just gets me back to failures the next time the certs come up for renewal.

7

And I see there’s another web.config in the acme-challenge directory:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <httpRedirect enabled="false" />
    <validation validateIntegratedModeConfiguration="false" />
    <staticContent>
      <clear />
      <mimeMap fileExtension="." mimeType="text/json" />
    </staticContent>
    <handlers>
      <clear />
      <add name="StaticFile" path="*" verb="GET" modules="StaticFileModule" resourceType="Either" />
    </handlers>
  </system.webServer>
</configuration>

So it seems that it was already in force…

8

Hi,

Can you please verify if you could open the site in plain http mode?

Let's encrypt validation server is still reporting that they can't connect to your server (due to firewall filter)

Please open your port 80 before proceed with another validation, or it will continue to fail with the same message...

Thank you

9

Yeah, it looks like I can’t access the site with http: and with the web.config changes my https: access is also blocked. :frowning: I’ll dig into it more before responding again. With the certs expired I have to remote in to the server using a VPN connection.

10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.