Certbot 1.21 webroot HTTP 500, 1.20 works

Installed 1.21 and it keeps stating "unauthorized" trying to read the challenge url with a 500 after the url.

I uninstalled 1.21 and installed 1.20 and it worked fine.

I can't find where to enter bug reports for the Windows beta.

2 Likes

Hi @GogglesPisano,

Thanks for the report. The issue tracker or this forum is a fine place to report this kind of information.

It seems likely that your problem is related to the web.config-related change that we made to the webroot plugin.

Do you have more information about the HTTP 500 error (maybe enable failed request tracing in IIS), your Windows version, your IIS version, how IIS is configured etc?

3 Likes

This is the second machine I set up, so I had already created a Virtual Directory for .well-known and created a sub folder acme-challenge.

I had also preinstalled the VC Redist since I knew I would need that from the first machine I did. (That redist should be included with the install or at least mentioned as a requirement)

Here's the web.config I had set up before installing the Certbot.

<?xml version="1.0" encoding="UTF-8"?>

I had also tried placing a .txt file in acme-challenge folder and that was served fine. I tried to access a made up file name with no extension and that gave me a 404 in the browser.

I checked lots of settings between the pc I set up several days ago and this one and couldn't find any differences. I spent several hours trying to find a reason why this one wasn't working. I then noticed this one was installing 1.21 and the other had 1.20. I switched to 1.20 and it worked.

Both are Win 10 Pro 21H1. IIS has matching modules installed.

The only site in IIS is the original Default Web Site and is only bound to *.80

Here's the last failed attempt.
2021-11-06 01:27:18 172.16.3.2 GET /.well-known/acme-challenge/BBneTspqcPziM7_HrHhqW2iDTmWcN61_8PaJEMCnAJI - 80 - 52.39.4.59 Mozilla/5.0+(compatible;+Let's+Encrypt+validation+server;++https://www.letsencrypt.org) - 500 19 183 89
2021-11-06 01:27:18 172.16.3.2 GET /.well-known/acme-challenge/BBneTspqcPziM7_HrHhqW2iDTmWcN61_8PaJEMCnAJI - 80 - 3.142.122.14 Mozilla/5.0+(compatible;+Let's+Encrypt+validation+server;++https://www.letsencrypt.org) - 500 19 183 85
2021-11-06 01:27:18 172.16.3.2 GET /.well-known/acme-challenge/BBneTspqcPziM7_HrHhqW2iDTmWcN61_8PaJEMCnAJI - 80 - 64.78.149.164 Mozilla/5.0+(compatible;+Let's+Encrypt+validation+server;++https://www.letsencrypt.org) - 500 19 183 59
2021-11-06 01:27:18 172.16.3.2 GET /.well-known/acme-challenge/BBneTspqcPziM7_HrHhqW2iDTmWcN61_8PaJEMCnAJI - 80 - 18.192.36.99 Mozilla/5.0+(compatible;+Let's+Encrypt+validation+server;++https://www.letsencrypt.org) - 500 19 64 194

And the successful one
2021-11-06 01:32:16 172.16.3.2 GET /.well-known/acme-challenge/lpH7dQOED_nHNX8ZOD_GZ3j9m_9tY7CsnmEbcJuPIZ4 - 80 - 52.39.4.59 Mozilla/5.0+(compatible;+Let's+Encrypt+validation+server;++https://www.letsencrypt.org) - 200 0 0 39
2021-11-06 01:32:16 172.16.3.2 GET /.well-known/acme-challenge/lpH7dQOED_nHNX8ZOD_GZ3j9m_9tY7CsnmEbcJuPIZ4 - 80 - 66.133.109.36 Mozilla/5.0+(compatible;+Let's+Encrypt+validation+server;++https://www.letsencrypt.org) - 200 0 0 54
2021-11-06 01:32:16 172.16.3.2 GET /.well-known/acme-challenge/lpH7dQOED_nHNX8ZOD_GZ3j9m_9tY7CsnmEbcJuPIZ4 - 80 - 3.142.122.14 Mozilla/5.0+(compatible;+Let's+Encrypt+validation+server;++https://www.letsencrypt.org) - 200 0 0 77
2021-11-06 01:32:16 172.16.3.2 GET /.well-known/acme-challenge/lpH7dQOED_nHNX8ZOD_GZ3j9m_9tY7CsnmEbcJuPIZ4 - 80 - 3.120.130.29 Mozilla/5.0+(compatible;+Let's+Encrypt+validation+server;++https://www.letsencrypt.org) - 200 0 0 174

Let me know if there's other things you want me to look at.

-Stuart

The last post stripped out the web config xml, so here it is with the leading < removed.

?xml version="1.0" encoding="UTF-8"?>
configuration>
system.webServer>
staticContent>
mimeMap fileExtension="." mimeType="text/plain" />
/staticContent>
defaultDocument enabled="false" />
/system.webServer>
/configuration>

I have 2 more nearly identical machines to install the certbot on. Is there something you'd like me to try differently on these ones?

Thanks for posting all of that information. It was very helpful.

This is the HTTP 500 error:

What's happening is that Certbot creates the web.config file inside the acme-challenge directory, whereas you are manually creating it in the parent well-known directory.

When IIS tries to apply the two web.config files during the request, it encounters this duplicate mimeMap, and crashes the request.

Certbot only checks for an existing web.config inside the acme-challenge directory. Fixing this fully in Certbot might be a little tricky, but that's our problem :laughing:.

As a workaround, you could move your web.config file to acme-challenge (Certbot won't overwrite it). Or create an empty-ish web.config file in acme-challenge. You get the idea, I think.

Sorry for the inconvenience!

3 Likes

No biggy. I moved the web.config file down to the acme-challenge folder.

In 1.21 should I have to create the .well-known or acme-challenge folders?

I want to try it on the other machines with the minimal prep I should need.

You shouldn't need to do anything to prepare. The .well-known and acme-challenge directories and web.config file should get created automatically in the webroot path.

If things are not working exactly right (like in this thread), we definitely want to hear about it.

3 Likes

I get this error on a new machine that doesn't have the .well-known folder created.

Input the webroot for xxxx.xxxx.tld: (Enter 'c' to cancel): C:\inetpub\wwwroot
Encountered exception during recovery: FileNotFoundError: [WinError 3] The system cannot find the path specified: 'C:\inetpub\wwwroot\.well-known\acme-challenge\xTn8_-87BL6BRXkgClN_OPQyckuoUqQQ1TXLkatX-qQ'
An unexpected error occurred:
pywintypes.error: (1307, 'SetFileSecurity', 'This security ID may not be assigned as the owner of this object.')

I appears to have created the .well-known folder, but not the acme-challenge folder.

IIRC, I had this problem on 1.20 also and added the acme-challenge folder myself.

When manually adding the acme-challenge folder I saw that the .well-known folder that the certbot added did not have IIS_IUSR access. Maybe that's why the folder creation failed?

1 Like

Sorry, I meant to respond to this earlier, to validate the existence of this issue.

The error you get from folder creation is a known problem and we're looking into it. You may follow along windows webroot: This security ID may not be assigned as the owner of this object · Issue #9067 · certbot/certbot · GitHub for progress.

3 Likes