Cetificate fails to create 403

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.toplinemovies.co.za

I ran this command::!SSL-Free\SSL-Software-2.1.7.807-x86>wacs.exe

It produced this output:
A simple Windows ACMEv2 client (WACS)
Software version 2.1.7.807 (RELEASE, PLUGGABLE)
ACME server https://acme-v02.api.letsencrypt.org/
IIS version 10.0
Running with administrator credentials
Scheduled task not configured yet
Please report issues at https://github.com/win-acme/win-acme

N: Create renewal (default settings)
M: Create renewal (full options)
R: Run renewals (0 currently due)
A: Manage renewals (0 total)
O: More options…
Q: Quit

Please choose from the menu: n

Running in mode: Interactive, Simple

Please select which website(s) should be scanned for host names. You may
input one or more site identifiers (comma separated) to filter by those
sites, or alternatively leave the input empty to scan all websites.

1: Default Web Site (2 bindings)

Site identifier(s) or to choose all:

1: toplinemovies.co.za (Site 1)
2: www.toplinemovies.co.za (Site 1)

You may either choose to include all listed bindings as host names in your
certificate, or apply an additional filter. Different types of filters are
available.

1: Pick specific bindings from the list
2: Pick bindings based on a search pattern
3: Pick all bindings

How do you want to pick the bindings?: 3

1: toplinemovies.co.za
2: www.toplinemovies.co.za

Please pick the main host, which will be presented as the subject of the certificate: 1

1: toplinemovies.co.za (Site 1)
2: www.toplinemovies.co.za (Site 1)

Continue with this selection? (y*/n) - yes

Target generated using plugin IIS: toplinemovies.co.za and 1 alternatives
Cached authorization result for www.toplinemovies.co.za: valid
Authorize identifier toplinemovies.co.za
Authorizing toplinemovies.co.za using http-01 validation (SelfHosting)
{
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “Invalid response from http://toplinemovies.co.za/.well-known/acme-challenge/z48doFk9lE0Wu5Mk3LC2PX2-DrPGX_Cp1fggO4IKgGw [129.232.219.82]: “\n\n404 Not Found\n\n

Not Found

\n<p””,
“status”: 403
}
Authorization result: invalid

Create certificate failed, retry? (y/n*)

Also able to access:
http://www.toplinemovies.co.za/.well-known/acme-challenge/test.txt
result: testing …displayed

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): IIS

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): ACMEv2 client (WACS) version 2.1.7.807

My web server is (include version): IIS

The operating system my web server runs on is (include version): Windows 10 pro 1909

My hosting provider, if applicable, is:N/A self hosting

1 Like

Hi @Rotsen49

I can't see it. And important: Rename the file, so the file name has no extension. Validation files are extensionless.

1 Like

Hi JuergenAuer,

Thank you for coming back to me. I deleted the file while I was testing again. But I still have the same problem. I put back the file with the extension and one without the extension. The one without the extension can not be accessed while the one with the extension can. Give it a try and you will see
.
http://www.toplinemovies.co.za/.well-known/acme-challenge/test.txt
http://www.toplinemovies.co.za/.well-known/acme-challenge/test

Kind regards
Nestor

1 Like

That's one problem. You must allow extensionless files.

Add a web.config in /.well-known/acme-challenge with

<configuration>
  <system.webServer>
    <staticContent>
      <mimeMap fileExtension="." mimeType="text/plain" />
    </staticContent>
  </system.webServer>
</configuration>

or add that to an existing config file. The extensionless file must work.

1 Like

Much appreciated I am going to give that a try. Not by my workstation so I will do that tomorrow and report back.

Hi JuergenAuer,

Your solution worked, but now I have another problem which I must address with my domain service provider :

when I ping www.toplinemovies.co.za (correct behavior):

C:\Users\nesto>ping www.toplinemovies.co.za

Pinging raps0002.homeunix.net [41.151.18.242] with 32 bytes of data:
Reply from 41.151.18.242: bytes=32 time=33ms TTL=52
Reply from 41.151.18.242: bytes=32 time=41ms TTL=52
Reply from 41.151.18.242: bytes=32 time=21ms TTL=52
Reply from 41.151.18.242: bytes=32 time=31ms TTL=52

Ping statistics for 41.151.18.242:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 21ms, Maximum = 41ms, Average = 31ms

When I ping toplinemovies.co.za (incorrect behavior/wrong):

C:\Users\nesto>ping toplinemovies.co.za

Pinging toplinemovies.co.za [129.232.219.82] with 32 bytes of data:
Reply from 129.232.219.82: bytes=32 time=6ms TTL=55
Reply from 129.232.219.82: bytes=32 time=8ms TTL=55
Reply from 129.232.219.82: bytes=32 time=11ms TTL=55
Reply from 129.232.219.82: bytes=32 time=5ms TTL=55

Ping statistics for 129.232.219.82:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 5ms, Maximum = 11ms, Average = 7ms

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.