Certify Client - CAA Record Prevents Issuance

I am running into this same issue and I have no redirects set, however, Certify says it has to be able to connect without redirects. I checked using the tool below and it shows a 301 redirect. I had a redirect for http to https but I have removed that, now I fear that letsencrypt has cached this 301 redirect and won’t let me get any certs.

http://www.redirect-checker.org/index.php

Hi @KalanVryce,

I moved your post to a new topic because I felt it wasn’t likely to be related to the previous topic. We should be able to help you, but we should start at the beginning with some more details about your hosting environment, what you’re trying to do, and what specific error messages you got.

I’ll also note that Let’s Encrypt does not “cache redirects” at all, so I don’t think that will turn out to be the problem. But if you fill out the new Help form below, we should be able to get a better sense of what’s going on.

Thanks!


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

After answering the questions above, you may want to look into excluding the .well-known requests from the 301 redirection.

Ok, well this is a test lab that I am messing with Server 2012/Exchange 2013 and 2016/Exchange 2016 as I ran into an issue with Certify in the past having certificates not compatible with Exchange. It worked on my 2016 machine however when I switched over to the 2012/Exchange 2013 test VM I am getting this redirect error. Thanks for any and all assitance in advance, it is much appreciated.

My domain is: www.newbierpg.com
I ran this command: Certify GUI Request Certificate
It produced this output: Certify says it has to be able to connect without redirects
My web server is (include version): IIS8
The operating system my web server runs on is (include version): Server 2012 (not R2)
My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): N/A

Is this the software that you’re using?

https://certifytheweb.com/

I’ve seen many issues with IIS and certificates.
They usually end up getting fixed only when the certs are imported directly via IIS; any other method seems to fail when used - even though, by all means, the cert is valid and otherwise useable.

@schoen Yes, I am using the Certify application.

@rg305 the certificate its self would be fine if the application could create it. I’ve done the same process on other servers however for some reason only the acme-challenge folder seems to have a 301 Permanent Forward set that I can’t remove.

Thanks for the screenshot. I find this error from Certify too generic—there should have been a specific error returned from the certificate authority explaining more specifically what failed. This will be hard to debug, and you might want to try a different client application, or ask the Certify developers for help (especially whether there’s a way to get access to the actual error message from the CA).

IIS8 DOES support SNI.
Are you trying to host multiple sites?

IIS should be responsible for the redirection.

@schoen Yes I agree the error is extremely vague, however with the link in my first post I am seeing a permanent 301 Forward for that folder

@rg305 No I am not hosting multiple domains, however, this domain is typically pointing at my Linux server. I just changed the port forwarding on my router to this VM for testing. Yes, I am aware that IIS SHOULD be responsible for the redirection which is why I am so confused. Screenshots follow and the settings are blank on every level above acme-challenge as well.

IIS Redirect Settings:

URL Rewrite Module:

The good news is…
I don’t see the redirection:

I’m just not sure whether this is actually relevant without seeing the underlying CA error. I’m not aware of any CA error which, from my perspective, would forbid 301 redirects to be used (!). If you’re using the HTTP-01 challenge, the CA follows redirects and the challenge file just has to be present at the other end of the redirect. If you’re using the TLS-01 challenge, the challenge should be complete before the CA even sees the redirect at all. So, the error from Certify doesn’t correspond directly to any failure mode that I’m familiar with.

In the TLS-01 challenge, there can be a problem if the server that the CA initially contacts is not the same as the machine that you’re running the ACME client application on. That can happen if you have a domain registrar or CDN or any other kind of service provider that runs a server that’s not the actual web server and that generates redirects of some kind to the actual web server. I imagine that this could be what the Certify developers are referring to (i.e., make sure that the DNS record is pointing directly to the real web server, and that you’re running Certify directly on the real web server or with the ability to update the real web server), but I’m not positive of that.

Oddly enough the redirects are now gone when testing with these third-party tools… however, Certify is still throwing the redirect error, maybe I just have to wait for caches around the internet to clear out?

http://www.redirect-checker.org/index.php

http://redirectdetective.com/

Persistent redirection…
HSTS?

In addition to not forbidding the use of redirects on sites that request certificates, the Let’s Encrypt CA doesn’t cache any information about the sites, including the existence of a redirect. I really think the Certify message is leading you down a misleading path here. (There are ways that redirects can be used inappropriately that interfere with the issuance of a certificate, but I don’t think we know that that’s actually happening here.)

@rg305 No it shouldn’t be as the URL Certify is looking for is not https

http://www.newbierpg.com/.well-known/acme-challenge/

Also, the Let’s Encrypt CA ignores HSTS when performing validations.

SOLVED!!

So I was avoiding using a different client as I was specifically testing Certify. I tried ZeroSSL and it failed as well, however, it did give me a more specific error. The issue was my CAA record, once I removed that it was able to process the request!

I’m glad you solved it! :slight_smile:

If Certify had shown the actual error from the CA, we would have known the nature of the problem within seconds. :frowning:

Yes, I will be submitting this to Certify now that I know exactly what was going on.

Thank you both very much for all your assistance!