Certbot failed to authenticate some domains

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.find-a-tradie.com.au

I ran this command: certbot certonly --webroot

It produced this output:

(Y)es/(N)o: y
Account registered.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): www.find-a-tradie.com.au
Requesting a certificate for www.find-a-tradie.com.au
Input the webroot for www.find-a-tradie.com.au: (Enter 'c' to cancel): C:\Apache24\htdocs

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: www.find-a-tradie.com.au
Type: unauthorized
Detail: 110.147.129.231: Invalid response from http://www.find-a-tradie.com.au/.well-known/acme-challenge/iU5LLNTGQG8swsQ-9B2nUkP1_1un_bcPMJwTPamp4eY: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): apache lounge, 2.4.57 VS16

The operating system my web server runs on is (include version): Windows 10

My hosting provider, if applicable, is: Hosting from a home desktop with Windows 10

I can login to a root shell on my machine (yes or no, or I don't know): confused about this. What am I supposed to put in c:\apache2\htdocs? Anything in particular?

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 2.7.3

The EFF is discontinuing support for Certbot on Windows this month. You should not setup any new systems on Windows with Certbot.

Please see the below announcement along with suggested alternatives

2 Likes

I've used https://certifytheweb.com/ on Windows systems without fail.

3 Likes

HTTP validation of your domain works by asking your server to prove it is who it says it is, that's the request like http://www.find-a-tradie.com.au/.well-known/acme-challenge/iU5LLNTGQG8swsQ-9B2nUkP1_1un_bcPMJwTPamp4eY

What's happening is the certificate authority (Let's Encrypt) expects you to prepare that /.well-known/acme-challenge path and (in this instance) the iU5LLNTGQG8swsQ-9B2nUkP1_1un_bcPMJwTPamp4eY text file with no filename extension. It will then check the response has the content it expects, that completes validation of your domain.

However, your server is not currently serving the website using Apache, the server responding is running IIS, you might have apache installed but that's not what's answering HTTP request on TCP port 80.

To get a cert for IIS as @rg305 suggested you could use Certify The Web. The process is generally:

  • Install the app, click New Certificate (first time you also need to register a contact with Let's Encrypt), select your IIS site from the dropdown. It will read the domains you have set for the site, if you have set them, otherwise you could manually add them (e.g. find-a-tradie.com.au and www.find-a-tradie.com.au would be the normal minimum you would include). I recommend first setting your http bindings in IIS to have the hostname(s) you need.
  • Optionally, click Test to check if your sites seems to resolve OK
  • Click Request Certificate to order your certificate from Let's Encrypt and install the certificate.

If you don't have hostnames set on your existing IIS bindings you may need to manually create an initial https bindings with the certificate selected (Set the hostname, check Use SNI, set IP to All Unassigned). This is why I recommend setting the hostnames first, so you don't have to do that.

As an aside though I don't recommend running a website from home or your office, if that's what this is. Websites are subject to constant attacks from unwanted external visitors and you generally don't want them trying stuff on the same network that all your business etc. is run on.

If you do intend to use Apache, not IIS, you would need to stop IIS or delete the default site/bindings (to free up port 80) then get apache working via http. You would then use the webroot method of specifying where the app should write out the http challenge response for apache to serve it: Using with Apache, nginx or Other Web Servers | Certify The Web Docs - I would only recommend using Apache on Windows if you are already an Apache user, the standard web server on Windows is Microsoft's own IIS.

3 Likes