Certbot issues on Windows IIS - Not going well

There are several issues.

1. Awful error messages when there are access issues.
   It does not tell what it is doing when an error occurs and only displays the error message.

The Escape codes (←[31m) in front of the messages are not particularly professional looking.

2. It does not check if the webroot directory is writable by the account it uses. Typically it might be able to create the .well-known directory, but nothing below.

Even if certbot will not change the security itself, the person running the program should be notified.

Here is where point 1 comes into play.

3. Certbot creates a non-readable file for some reason in the acme-challenge directory. It should be readable since "everyone" can read it. The file does not use inherited security. I suspect that once the IIS web service find that it is unreadable, it caches that result. So changing security will not work.

http://www.stavangerbilder.no/.well-known/acme-challenge/gHFGaWhZxKCq40-QwSvO4fGIgxdnIqFzxHxVprGTigA
Gives a 404 error in Chrome.

http://www.stavangerbilder.no/.well-known/acme-challenge/julius.txt
Retrieves the content of the file which has inherited security.

My domain is: www.stavangerbilder.no

I ran this command: C:\Program Files (x86)\Certbot\bin>.\certbot.exe certonly --webroot --debug-challenges --webroot-path C:\Sites\Stavangerbilder --dry-run

It produced this output:
←[31mChallenge failed for domain www.stavangerbilder.no←[0m
http-01 challenge for www.stavangerbilder.no
Cleaning up challenges
←[31mSome challenges have failed.←[0m
←[1m
IMPORTANT NOTES:
←[0m - The following errors were reported by the server:

Domain: www.stavangerbilder.no
Type: unauthorized
Detail: Invalid response from
http://www.stavangerbilder.no/.well-known/acme-challenge/eEcMvepMSkV4rqo3JUc33LkPZzg1q6xVeJx7RJKP-ZI
[91.243.69.5]: "\r\n<html
xmlns="http"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): IIS 8.5.9600.16384

The operating system my web server runs on is (include version): Windows Server 2012 R2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.14.0

Welcome to the Let's Encrypt Community, Tarjei

IIS seems to have trouble serving extensionless files by default. Try creating a file named web.config in the acme-challenge folder with the following contents:

<?xml version="1.0" encoding="UTF-8"?> 
<configuration>
    <system.webServer>
        <staticContent>
            <mimeMap fileExtension=".*" mimeType="text/plain" />
        </staticContent>
    </system.webServer>
</configuration>

Then create a file named test in the acme-challenge folder containing "1234". If you can retrieve that file with your browser, try certbot again.

Excellent suggestion Griffin!

It worked!

Thank you very much!

Also some versions/configurations of IIS need:
<mimeMap fileExtension="." mimeType="text/plain" /> instead of
<mimeMap fileExtension=".*" mimeType="text/plain" />

Some configurations also need to clear the declared handlers and redeclare the static file handler.

You will find also that Certbot outputs certificates in pem format so you will need to convert to PFX (for use with IIS) using openssl then import the cert to the computer certificate store (My or Web Hosting), you will then need to manually create/update https bindings in IIS.

Have you already tried https://certifytheweb.com? That's an app I develop that was built specifically for IIS/Windows support. There's also win-acme but I see from their github you had issues using that.

Once I tried win-acme on a host with a publicly available web site, it worked very well. The machine I tested on was available in the DNS, so I'm wondering if the software queries a different DNS server.

I am planning to look into CertifyTheWeb. It looks very useful when managing several domain.

I've look at the very slick web site, but I'm a bit uncertain about pushing certificates to other machines and producing local root and derived certificates. Yes, it is perfectly reasonable to have private root certificates for internal use.

Frankly, I am aghast at the lack of customer focus in certbot. At least on Windows. The last time I saw such profound lack of understanding was the FreeBSD camp attitude to updates.

Certbot leave people with IIS high and dry instead of helping them to solve their certificate problem. Frankly, I see no point in providing certificates in bits instead of as .pfx files. And particularly not when you don't tell the customer how to assemble the bits and provide pointers to the software needed.

With PowerShell, it is very easy to add certificates to IIS sites. It is not exactly rocket science.

And I am not happy with the the lack of standardization of file extensions in general in the certificate field.

Hi, most servers/services outside of windows use individual certificate components instead of using a PFX (which is technically a binary PKCS#12 container, sometimes with the extension .p12). Certbot started out on linux which is why it has a bias towards that type of output.

Regarding Certify The Web, it's biased towards making IIS certs simple but it also has Deployment Tasks which are custom steps that can run after you get your certificate to do all manner of automation and exports (scripting, exports to common formats, copying via ssh/sftp, deploying to CCS, key/vault stores etc)

Yeah, while certbot has been "ported" to run on Windows it's still very Linux-centric in its architecture and "thinking". There are other clients with the IIS/Windows architecture built in mind that are probably much more suitable for your use case.

Running Certbot on Windows probably makes more sense if you're running, like Apache or some other Linux-mindset-type thing as well on your Windows system.

If you're used to a PowerShell world, you might also want to check out Posh-ACME specifically. (Not that I know of any problems with CertifyTheWeb, and I haven't used either myself as my current workplace and home projects happen to use Linux-based servers.) I'm just trying to point out that there are many clients out there, and it may take trying a few to find the one that meshes with how the rest of your architecture is organized.

Yeah, Windows will treat double-clicking a .cer file as a request to view the certificate, but a .crt as a request to add it to your system's root store. Whereas other systems don't care about an "extension" concept at all, so you'll find people (especially on Linux) using either interchangeably, or using some other extension, or none at all. It's really quite a mess compared to most other file types, where even if it's not "needed" on certain platforms there's at least a consistent standard for what people use.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.