Can't renew SSL certificate - .NET Core

Please fill out the fields below so we can help you better.

My domain is: grsoftware.mooo.info

I ran this command: letsencrypt.exe

It produced this output: Authorizing Identifier grsoftware.mooo.info Using Challenge Type http-01
Writing challenge answer to D:\ASEC Core Site.well-known/acme-challenge/N3XYaHdMip8OfvGhg_CWPI12V35-StdlAio5FhcZ6Xc
Writing web.config to add extensionless mime type to D:\ASEC Core Site.well-known\acme-challenge\web.config
Answer should now be browsable at http://grsoftware.mooo.info/.well-known/acme-challenge/N3XYaHdMip8OfvGhg_CWPI12V35-StdlAio5FhcZ6Xc
Submitting answer
Refreshing authorization
Authorization Result: invalid
Authorization Failed invalid


The ACME server was probably unable to reach http://grsoftware.mooo.info/.well-known/acme-challenge/N3XYaHdMip8OfvGhg_CWPI12V35-StdlAio5FhcZ6Xc

Check in a browser to see if the answer file is being served correctly.
Authorize failed: This could be caused by IIS not being setup to handle extensionless static files.Here’s how to fix that:
1.In IIS manager goto Site/ Server->Handler Mappings->View Ordered List
2.Move the StaticFile mapping above the ExtensionlessUrlHandler mappings. (like this http://i.stack.imgur.com/nkvrL.png)
3.If you need to make changes to your web.config file, update the one at D:\TempSSL\web_config.xml

My web server is (include version): IIS (Windows 10? Can’t find the version number)

The operating system my web server runs on is (include version): Windows 10

My hosting provider, if applicable, is: Site hosted at home

I can login to a root shell on my machine (yes or no, or I don’t know): Kind of… does DOS count?

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No. IIS and .NET Core configuration

I can’t check in a browser to see if the file is being served correctly, because it just returns NET::ERR_CERT_DATE_INVALID.

I’m finding all this modern web hosting extremely complex… why does everything have to use SSL???

It isn’t being served correctly—that file is blank. (Literally blank as in 0 bytes.) Would you be able to make another test file within /.well-known/acme-challenge to see if it gets served by the server?

I suspect the problem could be here:

D:\ASEC Core Site.well-known/acme-challenge/N3XYaHdMip8OfvGhg_CWPI12V35-StdlAio5FhcZ6Xc

There is a missing path separator (either Windows-style \ or Unix-style /) between D:\ASEC Core Site and .well-known).

I first thought this too but have seen where it’s just the display here that doesn’t show it.
like: x:\simple.test (which contains two slashes but displays only one)

As rg305 says, it’s the display on your forum that messes up paths - I copy/pasted the original.

The file is not blank - it contains the key. There are 5 files in the acme-challenge folder, all with data in, none of them are zero bytes.

Is there some recommended reading that explains how this should all work without assuming the user is a die-hard web networking expert?!

Can you make any file at all be served correctly at http://grsoftware.mooo.info/.well-known/acme-challenge, like a text file of your choice?

No, any file inserted into the folder results in a NET::ERR_CERT_DATE_INVALID in Chrome…

That particular error does make it harder to check when you’ve succeeded in posting files there, yet it wouldn’t stop validation from the certificate authority for succeeding because the certificate authority validator ignores that error.

Do you have a machine where you could check with curl instead? It’s possible to make curl ignore this error, for example.

I don’t understand how using a tool that ignores the error is going to help solve the problem.

Tell you what - I’ll go somewhere else where I have to pay through the nose for an https service, just because Amazon won’t allow me to connect without one.
Go democracy.

This is because the Let's Encrypt CA also does not enforce certificate checks when connecting to your machine to validate this challenge. A significant reason for this is to allow renewal of certificates that have already expired when the http:// version of the site generates an unconditional permanent redirect to the https:// version, because the CA follows redirects in this case.

Therefore, curl -k would let you see the challenge behavior in a way that looks like what the certificate authority sees, while a browser doesn't, because the browser enforces certificate checks. If you run with curl -k, you can see what the CA is seeing in this case, which may then help debug why it rejects the challenge validation.

If you don’t have cURL directly, you can use Hurl.it, which also ignores certificate errors in showing the content.

1 Like

I faced the same problem few days back .I was stuck in “Authorization Result : INVALID” several time .
os : windows server 2012 R2
letsencrypt client : “letsencrypt-win-simple”

Just went to the github releases of “letsencrypt-win-simple” . Downloaded new release . It fixed my problem . Everything is working fine now . You need to check Your letsencrypt client version .

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.