Certfificate generation failure

I am trying to generate a certificate using the Win ACME application

I get this error:

Answer should now be browsable at http://site.domain.com/.well-known/acme-challenge/QOidusiduasdqeyreqweq
[HTTP] Request completed with status NotFound
Preliminary validation failed, the server answered '(null)' instead of 'QOidusiduasdqeyreqweq
The ACME server might have a different perspective
[site.domain.com] Authorization result: invalid

And at the end I receive this error: Connection reset by peer","status":400,"instance":null}

What can I do?

Your thread is more suitable for the Help section instead of the Issuance Tech category. I'll move your thread accordingly.

If you would have opened this thread in the Help section, you would have been provided with a questionnaire. Please fill out the questionnaire below to the best of your knowledge:


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2 Likes

Hi Osiris

Thanks for your reply. Here you can see the information requested

My domain is: paradiseingredients.com

I ran this command: There is no command, I am using Win ACME for Windows

It produced this output: Plugin IIS generated source solar.paradiseingredients.com with 1 identifiers
Plugin Domain created 1 order
Cached order has status invalid, discarding
[solar.paradiseingredients.com] Authorizing...
[solar.paradiseingredients.com] Authorizing using http-01 validation (FileSystem)
Answer should now be browsable at http://solar.paradiseingredients.com/.well-known/acme-challenge/QOiyFzXb_ClHC02E9_ZUPjzEEvN61QJWHYOJIWNC_gQ
[HTTP] Request completed with status NotFound
Preliminary validation failed, the server answered '(null)' instead of 'QOiyFzXb_ClHC02E9_ZUPjzEEvN61QJWHYOJIWNC_gQ.jkW-osudD7-Kx817XiP4Y0wiuL2fjvzlFxti4GGPv1c'. The ACME server might have a different perspective
[solar.paradiseingredients.com] Authorization result: invalid
[solar.paradiseingredients.com] {"type":"urn:ietf:params:acme:error:connection","detail":"200.91.186.254: Fetching http://solar.paradiseingredients.com/.well-known/acme-challenge/QOiyFzXb_ClHC02E9_ZUPjzEEvN61QJWHYOJIWNC_gQ: Connection reset by peer","status":400,"instance":null}
[solar.paradiseingredients.com] Deactivating pending authorization

My web server is (include version): IIS 10.0.20348.1

The operating system my web server runs on is (include version): Windows Server 2022

My hosting provider, if applicable, is: My web server is onpremise

I can login to a root shell on my machine (yes or no, or I don't know): Not applicable

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Not applicable

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Not using Certbot, I am Using Win ACME

Hi @daniel.segura,

You apparently have some kind of firewall that doesn't allow incoming connections to your site at all. Can you identify where that is and get rid of it before requesting your certificate?

2 Likes

Hi @schoen thanks for your reply

In fact, I have seen there is a known issue when Palo Alto Firewall is in between this process, and in fact I do have that firewall. I have scalated the case with Palo Alto Support but I havent had an answer. Have you seen in previous post if someone has resolved this and how was it?

Regards

1 Like

This doesn't look like the typical PA issue seen on this forum.
It seems like the web server is not responding with content OR the wrong web server was reached.

curl http://solar.paradiseingredients.com/
curl: (52) Empty reply from server

Do you have access to the firewall logs?
Do you have access to the web server logs?

2 Likes

I helped resolve more Palo Alto "ACME Challenge" problems than I can count :slight_smile:

And, I agree with @rg305 this does not look like that problem.

Any HTTP (port 80) request to your domain fails even for your home page. So this is not unique to the ACME Challenge.

curl -i http://solar.paradiseingredients.com
curl: (56) Recv failure: Connection reset by peer

curl -i http://solar.paradiseingredients.com/.well-known/acme-challenge/Test404
curl: (56) Recv failure: Connection reset by peer

Interestingly, HTTPS (port 443) requests get a response from what looks like a VPN. In addition to what rg305 asked about can you explain how the VPN is involved?

openssl s_client -connect solar.paradiseingredients.com:443 | head

depth=1 C = CR, ST = Cartago, O = Paradise Ingredients, CN = RootPAN
verify error:num=19:self-signed certificate in certificate chain
---
Certificate chain
 0 s:C = CR, O = Paradise Ingredients, CN = vpn1.paradiseingredients.com
   i:C = CR, ST = Cartago, O = Paradise Ingredients, CN = RootPAN
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 21 13:50:15 2022 GMT; NotAfter: May 20 13:50:15 2027 GMT
2 Likes

Hi

Correct, the website is not accesible at the momment because is for internal use only, the thing that I do is open the ports on the firewall and publish it when I run the process with the ACME tool to generate the certificate, but yes, I can have access to the web site when it is published using the port 443 but of course shows an invalid certificate. I want to generate the certificate with lets encrypt because the internal users when the access the website the downloads are blocked because of the unsafe connection due to the certificate.

Regards

The process that you're trying to use with Win-ACME requires an inbound connection from the Internet on port 80.

1 Like

I see. So it is difficult for us to reproduce your problem.

The error "Preliminary validation failed" comes from win-acme. It tests the HTTP request before sending the cert request to the Let's Encrypt server which will make the same HTTP request just from its perspective. The prelim check failed with a "null" response.

You might try disabling this "pre check" from win-acme and see if Let's Encrypt Server can successfully reach you. Probably not but sometimes that works. Perhaps you have some outbound firewall rule that blocks the HTTP request from win-acme while allowing it to make HTTPS outbound requests (to the LE ACME API for example).

You might be better off using a DNS Challenge. It sounds like you have a public domain name. Does your DNS provider support an API for updating TXT records by chance?

3 Likes

Hi.

I tried to see where should I disable this pre check, but I couldnt find it. I do have a public domain name, but not sure if my DNS provider can do what you mention, modify the TXT record. I am using an A record in the scenarios.

Reading the comment from @schoen, let me explain you what I am doing, I have in the binding config a rule with https type, the host name is solar.paradiseingredients.com using port 443, using this configuration Win Acme can validate there is a registry to do the process, also in my firewall I am publishing the Server IP address with the port 443 as well and I can have acces to it from outside, I am not publishing port 80. Am I configuring this incorrectly? If I just use port 80 on the binding section, Win Acme does not allow me to contiue, it does not recognizes a record to work with.

Regards

If Win Acme is using HTTP-01 authentication, then, yes; You must also allow port 80 for the ACME client to work.

2 Likes

Your domain is on cloudflare, so I'd suggest just use Cloudflare DNS validation instead of HTTP validation - it's usually surprisingly easy.

I don't know the process with win-acme but it will be somewhat similar setup to Certify The Web [which I develop], the instructions to get an API token for that are here: Cloudflare DNS | Certify The Web Docs - the process is:

  • New Certificate (or edit existing)
  • On the Authorization tab set challenge type to dns-01, set provider to cloudflare, add and save your API token credentials. Click the .. next to Zone ID to lookup the right zoneid for your domain.
  • Click Test to check that TXT records can be added/removed OK using the API
  • Click Request Certificate to order your certificate from Let's Encrypt.
2 Likes

Hello @webprofusion, your recommendation using the API integration and DNS-01 instead of using HTTP-01 has worked perfectly, I have finished the certificate generation and has been installed correctly to my server. Thanks a lot for your guide.

Regards

2 Likes