Certificate Creation Authorization timed out


#1

Hi,
I am trying to get a password on a Windows Server. I am running Win-Acme tool.

My domain is: app.home.tilsch.it

I ran this command: using win-acme tool with remote file storage for authantication

It produced this output:
[INFO] Authorize identifier: app.home.tilsch.it
[INFO] Authorizing app.home.tilsch.it using http-01 validation (FileSystem)
[INFO] Answer should now be browsable at http://app.home.tilsch.it/.well-known/acme-challenge/QE7Km8paWonguwybZYRtNMNjSoKXz_kLy-3p5pPF_l0
[INFO] Preliminary validation looks good, but ACME will be more thorough…
[EROR] Authorization timed out
[EROR] Create certificate failed: Authorization failed

My web server is (include version):
IIS 8.5

The operating system my web server runs on is (include version):
Windows Server 2012 R2

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): win-acme v2.0.4.227

I am getting the same timeout, when I choose the DNS method.
What is it checking more thoroughly?

Thanks in advance
Micha


#2

Welcome!

I’m not a Win-ACME expert; So I have some questions/concerns that may help clarify the problem (to me and also to other readers)…

To better understand the problem (and help facilitate reaching a proper solution), I think you may need to be more specific about the exact command line options included.

And/or maybe also try posting directly to the Win-ACME community:

Also, you acknowledge the use of a control panel; But fail to mention exactly which one (and any details - version, etc.):


#3

Hi, I did not post any additional details, since I think none of it is relevant. I used mmc to configure the IIS. The file is accessible, so the IIS config is ok.
I don’t understand, why it says:
Preliminary validation looks good, but ACME will be more thorough…
and then times out with no information on what is checked additionally.


#4

And now we even have less than what you see to work with.
I doubt there is anyone on this forum that can say anything specific about the problem you describe (including the information provided).

To you…
To everyone else (who has no clue on exactly… everything about this problem), every little piece of information is relevant.


#5

Hi @snudel,

Unfortunately, it looks like the logs from win-acme aren’t detailed enough here. When an authorization fails, the certificate authority returns a message explaining why it failed. But here win-acme apparently received that message but failed to include it in the log. That makes it hard to be sure of the reason; it would be helpful to find a way to make win-acme create more verbose logs, if possible.

A likely explanation for your problem is that your DNS server doesn’t understand CAA records.

https://letsdebug.net/app.home.tilsch.it/28736

For more information about this problem, please see

This document thoroughly explains the situation about CAA. The most relevant section may be

Since Let’s Encrypt checks CAA records before every certificate we issue, sometimes we get errors even for domains that haven’t set any CAA records. When we get an error, there’s no way to tell whether we are allowed to issue for the affected domain, since there could be CAA records present that forbid issuance, but are not visible because of the error. If you receive CAA-related errors, try a few more times against our staging environment to see if they are temporary or permanent. If they are permanent, you will need to file a support issue with your DNS provider, or switch providers. If you’re not sure who your DNS provider is, ask your hosting provider. Some DNS providers that are unfamiliar with CAA initially reply to problem reports with “We do not support CAA records.” Your DNS provider does not need to specifically support CAA records; it only needs to reply with a NOERROR response for unknown query types (including CAA). Returning other opcodes, including NOTIMP, for unrecognized qtypes is a violation of RFC 1035, and needs to be fixed.


#6

@rg305 Sorry, that my uneducated questions bother you. I still appreciate you investing your time. I am completely new to letsencrypt and hoped for a starting point or obvious mistake.

@schoen Thank you for the hint regarding more verbose output. I will check if there is such thing and thank you as well for the hint regarding CAA records.


#7

Indeed you can start the tool with --verbose. This is what came out of the log. Looks like I cannot get data from the api.

[VERB] Checking [Manual] app.home.tilsch.it
[DBUG] Loading signer from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Signer_v2
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory
[DBUG] Send HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce
[DBUG] Loading account information from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Registration_v2
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/new-order
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/acme/authz/7bwvkkggHIrmmipiGkGy_NZE3FfN6-F68TJ5Noz15gw
[INFO] Authorize identifier: app.home.tilsch.it
[INFO] Authorizing app.home.tilsch.it using http-01 validation (FileSystem)
[VERB] Writing file to R:\inetpub\wwwroot.well-known\acme-challenge\fnP1WKs12Px8VkFI4ASpkKSjlqusbhPOAq4_aQ3N_kI
[INFO] Answer should now be browsable at http://app.home.tilsch.it/.well-known/acme-challenge/fnP1WKs12Px8VkFI4ASpkKSjlqusbhPOAq4_aQ3N_kI
[INFO] Preliminary validation looks good, but ACME will be more thorough…
[DBUG] Submitting challenge answer
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/challenge/7bwvkkggHIrmmipiGkGy_NZE3FfN6-F68TJ5Noz15gw/13744897134
[DBUG] Refreshing authorization
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/acme/challenge/7bwvkkggHIrmmipiGkGy_NZE3FfN6-F68TJ5Noz15gw/13744897134
[DBUG] Refreshing authorization
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/acme/challenge/7bwvkkggHIrmmipiGkGy_NZE3FfN6-F68TJ5Noz15gw/13744897134
[DBUG] Refreshing authorization
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/acme/challenge/7bwvkkggHIrmmipiGkGy_NZE3FfN6-F68TJ5Noz15gw/13744897134
[DBUG] Refreshing authorization
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/acme/challenge/7bwvkkggHIrmmipiGkGy_NZE3FfN6-F68TJ5Noz15gw/13744897134
[DBUG] Refreshing authorization
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/acme/challenge/7bwvkkggHIrmmipiGkGy_NZE3FfN6-F68TJ5Noz15gw/13744897134
[EROR] Authorization timed out
[DBUG] Deleting answer
[VERB] Deleting file R:\inetpub\wwwroot.well-known\acme-challenge\fnP1WKs12Px8VkFI4ASpkKSjlqusbhPOAq4_aQ3N_kI
[DBUG] Additional files or folders exist in R:\inetpub\wwwroot.well-known\acme-challenge, not deleting.
[EROR] Create certificate failed: Authorization failed

When I manually call that link, the following is displayed:
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:dns”,
“detail”: “DNS problem: SERVFAIL looking up CAA for home.tilsch.it”,
“status”: 400

So you rightfully pointed at CAA problems.
I will need to find out what is causing this problem. Thank you all so far


#8

Hi @snudel

it’s not only a problem fetching the CAA record.

Your nameservers are buggy:

There is a Server failure.

Host T IP-Address is auth. ∑ Queries ∑ Timeout
app.home.tilsch.it Server failure yes 4 1
C snudel.ddns.net yes 4 1
A 91.11.64.221 yes
www.app.home.tilsch.it Server failure yes 4 1
C snudel.ddns.net yes 4 1
A 91.11.64.221 yes

And some tests are bad:

it

X Fatal error: Nameserver doesn’t support TCP connection: ns03.ipffm.de: Timeout
X Nameserver Timeout checking Echo Capitalization: ns03.ipffm.de
X Fatal error: Nameserver doesn’t support EDNS with max. 512 Byte Udp payload or sends more then 512 Bytes: ns01.ipffm.de
X Fatal error: Nameserver doesn’t support EDNS with max. 512 Byte Udp payload or sends more then 512 Bytes: ns02.ipffm.de
X Fatal error: Nameserver doesn’t support EDNS with max. 512 Byte Udp payload or sends more then 512 Bytes: ns04.ipffm.de
X Nameserver Timeout checking EDNS512: ns03.ipffm.de

No TCP support is critical.

Authoritative nameservers must support TCP connections.

PS: Source:

https://www.iana.org/help/nameserver-requirements

Name server reachability

The name servers must answer DNS queries over both the UDP and TCP protocols on port 53.


#9

@JuergenAuer Thanks a lot. I opened a ticket with my hoster. Let’s see if this helps solving the issue.


#10

I have no problem with the questions.
As stated, I only seem to “have a problem” with the lack of information provided to enable anyone to clearly understand the actual problem.

We are here to help; But you have to help us help you.


#11

@JuergenAuer Which tool did you use to analyse my DNS servers so detailed? Letsdebug just gives me a fatal error. I raised the issue with my DNS provide, but he did not give me detailed reply nor feedback.

But suddenly I am getting another error message:
[VERB] Checking [Manual] app.home.tilsch.it
[DBUG] Loading signer from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Signer_v2
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory
[DBUG] Send HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce
[DBUG] Loading account information from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Registration_v2
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/new-order
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/acme/authz/WpWc4LxAUA0lNoFGMF75srj8fOe_0XHmS_TXZVPzijg
[INFO] Authorize identifier: app.home.tilsch.it
[INFO] Authorizing app.home.tilsch.it using http-01 validation (FileSystem)
[VERB] Writing file to R:\inetpub\wwwroot.well-known\acme-challenge\3RV2IKEWSbBrwpG2Q7D7wldDvUwNEex4NIVCGknG8SE
[DBUG] Writing web.config
[VERB] Writing file to R:\inetpub\wwwroot.well-known\acme-challenge\web.config
[INFO] Answer should now be browsable at http://app.home.tilsch.it/.well-known/acme-challenge/3RV2IKEWSbBrwpG2Q7D7wldDvUwNEex4NIVCGknG8SE
[INFO] Preliminary validation looks good, but ACME will be more thorough…
[DBUG] Submitting challenge answer
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/challenge/WpWc4LxAUA0lNoFGMF75srj8fOe_0XHmS_TXZVPzijg/14025753249
[DBUG] Refreshing authorization
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/acme/challenge/WpWc4LxAUA0lNoFGMF75srj8fOe_0XHmS_TXZVPzijg/14025753249
[DBUG] Refreshing authorization
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/acme/challenge/WpWc4LxAUA0lNoFGMF75srj8fOe_0XHmS_TXZVPzijg/14025753249
[EROR] {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “unknownHost :: No valid IP addresses found for app.home.tilsch.it”,
“status”: 400
}
[EROR] Authorization result: invalid
[DBUG] Deleting web.config
[VERB] Deleting file R:\inetpub\wwwroot.well-known\acme-challenge\web.config
[DBUG] Deleting answer
[VERB] Deleting file R:\inetpub\wwwroot.well-known\acme-challenge\3RV2IKEWSbBrwpG2Q7D7wldDvUwNEex4NIVCGknG8SE
[DBUG] Additional files or folders exist in R:\inetpub\wwwroot.well-known\acme-challenge, not deleting.
[EROR] Create certificate failed: Authorization failed

I did a name lookup from an external host. It gets a valid IP from the DNS response.


#12

It’s my own online tool - https://check-your-website.server-daten.de/?q=app.home.tilsch.it - created to make it easier to find configuration problems in this forum.

You can use it to check your domain, your provider too.

Recheck your domain to see, if an ip address exists.