Challege file not created on Win2019/ IIS10

My domain is: navgate.com

I ran this command: wacs.exe --verbose --test

My web server is (include version): IIS10

The operating system my web server runs on is (include version): Win2019

My hosting provider, if applicable, is: Rackspace

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.2.8.1635

I am investigating error " [Timeout during connect (likely firewall problem)" The challenge file will not be created in this directory C:\inetpub\wwwroot\navgate.com.well-known\acme-challenge

I have web.config in that dir with this content, and writable to "everybody"

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <staticContent>
            <mimeMap fileExtension="." mimeType="text/xml" />
        </staticContent>
        <handlers>
            <clear />
            <add name="StaticFile" path="*" verb="GET" modules="StaticFileModule" resourceType="Either" />
        </handlers>
    </system.webServer>
</configuration>

I added . file type in MIME types for IIS.

It produced this output:

C:\Users\Administrator>nslookup
Default Server:  cachens2.dfw1.rackspace.com
Address:  72.3.128.241

> navgate.com
Server:  cachens2.dfw1.rackspace.com
Address:  72.3.128.241

Non-authoritative answer:
Name:    navgate.com
Address:  10.208.225.58

>
 Directory of C:\LetsEncrypt

04/09/2024  07:50 AM    <DIR>          .
04/09/2024  07:50 AM    <DIR>          ..
02/28/2024  12:12 AM           306,852 public_suffix_list.dat
04/09/2024  07:36 AM    <DIR>          Scripts
02/28/2024  12:12 AM             3,084 settings.json
02/28/2024  12:12 AM             3,084 settings_default.json
02/28/2024  12:17 AM                28 version.txt
02/28/2024  12:17 AM        42,691,920 wacs.exe
02/28/2024  12:12 AM               484 Web_Config.xml
               6 File(s)     43,005,452 bytes
               3 Dir(s)  129,286,111,232 bytes free

C:\LetsEncrypt>wacs.exe --test --verbose
 [DBUG] Logging at level Verbose
 [VERB] W3SVC detected and running
 [VERB] No FTPSVC detected
 [VERB] Looking for settings.json in C:\LetsEncrypt\
 [DBUG] Use existing configuration folder C:\ProgramData\win-acme
 [DBUG] Created configuration folder C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org
 [DBUG] Created log folder C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Log
 [DBUG] Created cache folder C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Certificates
 [DBUG] secrets.json not found
 [DBUG] Renewal period: 55 days
 [VERB] Sending e-mails False
 [VERB] Arguments: --test --verbose
 [VERB] ExePath: C:\LetsEncrypt\wacs.exe
 [VERB] ResourcePath: C:\LetsEncrypt\
 [VERB] PluginPath: C:\LetsEncrypt\

 [INFO] A simple Windows ACMEv2 client (WACS)
 [INFO] Software version 2.2.8.1635 (release, pluggable, standalone, 64-bit)
 [INFO] Connecting to https://acme-staging-v02.api.letsencrypt.org/...
 [DBUG] [HTTP] Send GET to https://acme-staging-v02.api.letsencrypt.org/directory
 [VERB] [HTTP] Request completed with status OK
 [VERB] [HTTP] Response content: {
  "Qt0Lk2vyuFU": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-staging-v02.api.letsencrypt.org/draft-ietf-acme-ari-02/renewalInfo/",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
 [INFO] Connection OK!
 [DBUG] Running with administrator credentials
 [DBUG] IIS version 10.0
 [WARN] Scheduled task not configured yet
 [INFO] Please report issues at https://github.com/win-acme/win-acme
 [VERB] Unicode display test: Chinese/語言 Russian/язык Arab/لغة

 N: Create certificate (default settings)
 M: Create certificate (full options)
 R: Run renewals (0 currently due)
 A: Manage renewals (0 total)
 O: More options...
 Q: Quit

 Please choose from the menu: n

 [INFO] Running in mode: Interactive, Simple, Test
 [VERB] Autofac: creating PluginFrontend<TargetPluginOptions> scope with parent wacs
 [VERB] Autofac: creating PluginFrontend<TargetPluginOptions> scope with parent wacs
 [DBUG] [HTTP] Send GET to https://publicsuffix.org/list/public_suffix_list.dat
 [VERB] [HTTP] Request completed with status OK
 [VERB] [HTTP] Response of type text/plain (308798 bytes)
 [VERB] Autofac: creating PluginFrontend<TargetPluginOptions> scope with parent wacs
 [DBUG] Scanning IIS sites
 [DBUG] Scanning IIS bindings for host names

 Please select which website(s) should be scanned for host names. You may
 input one or more site identifiers (comma-separated) to filter by those
 sites, or alternatively leave the input empty to scan *all* websites.

 2: careoptions.net (4 bindings)
 6: cool.net (3 bindings)
 4: email.cool.net (2 bindings)
 5: myccds.com (2 bindings)
 3: navgate.com (2 bindings)

 Site identifier(s) or <Enter> to choose all: 3

 [VERB] 13 named bindings found in IIS
 [DBUG] Filtering based on binding type
 [DBUG] Filtering by site(s) [3]
 [VERB] 2 bindings remaining after site filter
 [VERB] No host filter applied
 [VERB] 2 matching bindings found

 1: navgate.local (Site 3)
 2: navgate.com (Site 3)

 Listed above are the bindings found on the selected site(s). By default all
 of them will be included, but you may either pick specific ones by typing the
 host names or identifiers (comma-separated) or filter them using one of the
 options from the menu.

 P: Pick bindings based on a search pattern
 A: Pick *all* bindings

 Binding identifiers(s) or menu option: p

 You may use a `*` for a range of any characters and a `?` for any single
 character. For example: the pattern `example.*` will match `example.net` and
 `example.com` (but not `my.example.com`) and the pattern `?.example.com` will
 match `a.example.com` and `b.example.com` (but not `www.example.com`). Note
 that multiple patterns can be combined by comma seperating them.

 Pattern: navgate.com

 [VERB] 13 named bindings found in IIS
 [DBUG] Filtering based on binding type
 [DBUG] Filtering by site(s) [3]
 [VERB] 2 bindings remaining after site filter
 [DBUG] Filtering by host: ^(navgate\.com)$
 [VERB] 1 bindings remaining after host filter
 [VERB] 1 matching binding found
 [VERB] 13 named bindings found in IIS
 [DBUG] Filtering based on binding type
 [DBUG] Filtering by site(s) [3]
 [VERB] 2 bindings remaining after site filter
 [DBUG] Filtering by host: ^(navgate\.com)$
 [VERB] 1 bindings remaining after host filter
 [VERB] 1 matching binding found

 1: navgate.com (Site 3)

 Continue with this selection? (y*/n) - yes

 [VERB] Autofac: creating PluginBackend<ITargetPlugin> scope with parent wacs
 [DBUG] Scanning IIS bindings for host names
 [VERB] 13 named bindings found in IIS
 [DBUG] Filtering based on binding type
 [DBUG] Filtering by site(s) [3]
 [VERB] 2 bindings remaining after site filter
 [DBUG] Filtering by host: ^(navgate\.com)$
 [VERB] 1 bindings remaining after host filter
 [VERB] 1 matching binding found
 [DBUG] Scanning IIS sites
 [INFO] Source generated using plugin IIS: navgate.com
 [VERB] Autofac: creating Target scope with parent PluginBackend<ITargetPlugin>
 [VERB] Autofac: creating PluginFrontend<OrderPluginOptions> scope with parent target
 [VERB] W3SVC detected and running
 [VERB] No FTPSVC detected
 [VERB] Autofac: creating PluginFrontend<OrderPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<OrderPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<OrderPluginOptions> scope with parent target
 [VERB] Global validation option not found for navgate.com
 [VERB] Autofac: creating PluginFrontend<ValidationPluginOptions> scope with parent target
 [DBUG] Adding local system default as DNS server
 [VERB] Autofac: creating PluginFrontend<ValidationPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<ValidationPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<ValidationPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<ValidationPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<ValidationPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<ValidationPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<ValidationPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<ValidationPluginOptions> scope with parent target
 [VERB] No value provided for --validationport
 [VERB] No value provided for --validationprotocol
 [VERB] Autofac: creating PluginFrontend<CsrPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<CsrPluginOptions> scope with parent target
 [VERB] Flag --ocsp-must-staple not present
 [VERB] Flag --reuse-privatekey not present
 [VERB] Autofac: creating PluginFrontend<StorePluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<StorePluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<StorePluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<StorePluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<StorePluginOptions> scope with parent target
 [VERB] No value provided for --certificatestore
 [VERB] Flag --keepexisting not present
 [VERB] No value provided for --acl-fullcontrol
 [VERB] No value provided for --acl-read
 [VERB] No value provided for --certificatestore
 [VERB] Autofac: creating PluginFrontend<StorePluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<StorePluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<StorePluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<StorePluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<StorePluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<InstallationPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<InstallationPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<InstallationPluginOptions> scope with parent target
 [VERB] No value provided for --sslport
 [VERB] No value provided for --sslipaddress
 [VERB] Autofac: creating PluginFrontend<InstallationPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<InstallationPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<InstallationPluginOptions> scope with parent target

 [VERB] Constructing ACME protocol client...
 [VERB] Getting service directory...
 [DBUG] [HTTP] Send GET to https://acme-staging-v02.api.letsencrypt.org/directory
 [VERB] [HTTP] Request completed with status OK
 [VERB] [HTTP] Response content: {
  "ZC7XGvkyFo4": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-staging-v02.api.letsencrypt.org/draft-ietf-acme-ari-02/renewalInfo/",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
 [DBUG] Signer not found at C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Signer_v2
 [DBUG] Details not found at C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Registration_v2
 [VERB] No account found, creating new one
 [DBUG] [HTTP] Send GET to https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf
 [VERB] [HTTP] Request completed with status OK
 [VERB] [HTTP] Response of type application/pdf (127291 bytes)
 [VERB] Terms of service downloaded
 [VERB] Writing terms of service to C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\LE-SA-v1.4-April-3-2024.pdf

Terms of service:    C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\LE-SA-v1.4-April-3-2024.pdf

 Open in default application? (y/n*) - yes

 Do you agree with the terms? (y*/n) - yes

 Enter email(s) for notifications about problems and abuse (comma-separated): bradley@navgate.com

 [DBUG] Creating new ES256 signer
 [DBUG] [HTTP] Send HEAD to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce
 [VERB] [HTTP] Request completed with status OK
 [VERB] [HTTP] Empty response
 [DBUG] [HTTP] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/new-acct
 [VERB] [HTTP] Request content: {"protected":"eyJqd2siOnsiY3J2IjoiUC0yNTYiLCJrdHkiOiJFQyIsIngiOiJWY1lxS0hzY181eFNHMk9CVVVBZkVTQkVPWVpjVWRBTEs5cGpieEVhOEhVIiwieSI6ImVkYVVVUFl5Y2VsSldFVDgxZ0k4aE83SHdLS3dnTFhSZnB1RDNURlUxbFEifSwiYWxnIjoiRVMyNTYiLCJ1cmwiOiJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1hY2N0Iiwibm9uY2UiOiIxak52WGgwN3NXN29Jd0RWcWkxeU5Kb3p0ODY2TzY4UkZSZVZVaUc1bGVTb0hSU0FMS3cifQ","payload":"eyJjb250YWN0IjpbIm1haWx0bzpicmFkbGV5QG5hdmdhdGUuY29tIl0sInRlcm1zT2ZTZXJ2aWNlQWdyZWVkIjp0cnVlfQ","signature":"KhTNOMeAudeIuszol6yfa8lkz5tf9L-WS5mQdoR8D45ZsmqloR4tpj0ev0UlD81h4KQg2YxZw6hyO4nKbMRPoQ"}
 [VERB] [HTTP] Request completed with status Created
 [VERB] [HTTP] Response content: {
  "key": {
    "kty": "EC",
    "crv": "P-256",
    "x": "VcYqKHsc_5xSG2OBUUAfESBEOYZcUdALK9pjbxEa8HU",
    "y": "edaUUPYycelJWET81gI8hO7HwKKwgLXRfpuD3TFU1lQ"
  },
  "contact": [
    "mailto:bradley@navgate.com"
  ],
  "initialIp": "72.32.48.52",
  "createdAt": "2024-04-09T15:51:10.815445104Z",
  "status": "valid"
}
 [DBUG] Saving account to C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Registration_v2
 [DBUG] Saving signer to C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Signer_v2
 [DBUG] Using default account...
 [VERB] Autofac: creating Execution scope with parent wacs
 [VERB] Autofac: creating PluginBackend<ITargetPlugin> scope with parent Execution
 [VERB] W3SVC detected and running
 [VERB] No FTPSVC detected
 [DBUG] Scanning IIS bindings for host names
 [VERB] 13 named bindings found in IIS
 [DBUG] Filtering based on binding type
 [DBUG] Filtering by site(s) [3]
 [VERB] 2 bindings remaining after site filter
 [DBUG] Filtering by host: ^(navgate\.com)$
 [VERB] 1 bindings remaining after host filter
 [VERB] 1 matching binding found
 [DBUG] Scanning IIS sites
 [INFO] Plugin IIS generated source navgate.com with 1 identifiers
 [VERB] Autofac: creating Split scope with parent PluginBackend<ITargetPlugin>
 [VERB] Autofac: creating PluginBackend<IOrderPlugin> scope with parent Split
 [INFO] Plugin Single created 1 order
 [VERB] Checking [IIS] navgate.com | navgate.com
 [VERB] Autofac: creating Order scope with parent PluginBackend<ITargetPlugin>
 [VERB] Autofac: creating PluginBackend<ICsrPlugin> scope with parent order-main
 [DBUG] Reading certificate cache
 [DBUG] No cache files found for renewal
 [VERB] Order Main should run (new/changed source)
 [VERB] Obtain order details for Main
 [VERB] No existing order found
 [VERB] Creating order for identifiers: ["navgate.com"] (notAfter: null)
 [DBUG] [HTTP] Send HEAD to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce
 [VERB] [HTTP] Request completed with status OK
 [VERB] [HTTP] Empty response
 [DBUG] [HTTP] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/new-order
 [VERB] [HTTP] Request content: {"protected":"eyJhbGciOiJFUzI1NiIsInVybCI6Imh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIiwibm9uY2UiOiIxak52WGgwN2EzZ3R5Q1VhUFI5ZENyNXFJX1RrN2E4ZE5kdnd3ODRCaGc4VUIwYmU3ejgiLCJraWQiOiJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTQ0MDcyNzQ0In0","payload":"eyJpZGVudGlmaWVycyI6W3sidHlwZSI6ImRucyIsInZhbHVlIjoibmF2Z2F0ZS5jb20ifV19","signature":"kFiKGtB8LsU-RmXBJf0Lm4sRRvTbNz1clfzUDasatl7orl6MyraoNxMt5g2Sn-zcYFBiOPXbtoCDH7A4BM1buQ"}
 [VERB] [HTTP] Request completed with status Created
 [VERB] [HTTP] Response content: {
  "status": "pending",
  "expires": "2024-04-16T15:51:11Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "navgate.com"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11944717714"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/144072744/15815562584"
}
 [VERB] Order https://acme-staging-v02.api.letsencrypt.org/acme/order/144072744/15815562584 created
 [DBUG] [HTTP] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11944717714
 [VERB] [HTTP] Request content: {"protected":"eyJhbGciOiJFUzI1NiIsInVybCI6Imh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMTE5NDQ3MTc3MTQiLCJub25jZSI6InpSNXppMTBKWlVYM0t1ejUxcjNfMzdWalBORldkRXNINEw4bVFjNmRzbHNmZUhNOXRmcyIsImtpZCI6Imh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNDQwNzI3NDQifQ","payload":"","signature":"NeHqkXb5tsaAbGFaQHHBHUFH-ugLdUROnU_21JtrbnQ7hGwKxIS909HOOCwuKGO-7Fw1oZBumuDj7s6f9Vmwew"}
 [VERB] [HTTP] Request completed with status OK
 [VERB] [HTTP] Response content: {
  "identifier": {
    "type": "dns",
    "value": "navgate.com"
  },
  "status": "pending",
  "expires": "2024-04-16T15:51:11Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11944717714/y4DUiQ",
      "token": "OWQ0V9ZbAdz9NT5YjAV2VqOF2jWyqViGM4J6UVfJ-iY"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11944717714/KIxg_A",
      "token": "OWQ0V9ZbAdz9NT5YjAV2VqOF2jWyqViGM4J6UVfJ-iY"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11944717714/0Ximaw",
      "token": "OWQ0V9ZbAdz9NT5YjAV2VqOF2jWyqViGM4J6UVfJ-iY"
    }
  ]
}
 [VERB] Autofac: creating Target scope with parent PluginBackend<ICsrPlugin>
 [VERB] Autofac: creating PluginFrontend<ValidationPluginOptions> scope with parent target
 [VERB] W3SVC detected and running
 [VERB] No FTPSVC detected
 [VERB] Autofac: creating PluginBackend<IValidationPlugin> scope with parent PluginBackend<ICsrPlugin>
 [VERB] Handle authorization 1/1
 [VERB] Autofac: creating PluginBackend<IValidationPlugin> scope with parent PluginBackend<ICsrPlugin>
 [INFO] [navgate.com] Authorizing...
 [VERB] [navgate.com] Initial authorization status: pending
 [VERB] [navgate.com] Challenge types available: ["http-01", "dns-01", "tls-alpn-01"]
 [VERB] [navgate.com] Initial challenge status: pending
 [INFO] [navgate.com] Authorizing using http-01 validation (SelfHosting)
 [VERB] Starting commit stage
 [VERB] Commit was succesful
 [DBUG] [navgate.com] Submitting challenge answer
 [DBUG] [HTTP] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11944717714/y4DUiQ
 [VERB] [HTTP] Request content: {"protected":"eyJhbGciOiJFUzI1NiIsInVybCI6Imh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvMTE5NDQ3MTc3MTQveTREVWlRIiwibm9uY2UiOiJ6UjV6aTEwSjJyNEJFTWNhdmJobV9fdXpFRm1nUXFXeGVqRU5QU0RIcDlRSm9Tb1hodW8iLCJraWQiOiJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTQ0MDcyNzQ0In0","payload":"e30","signature":"_iWKzXj9SSivxn2Ycw8JOoNUo_wg6pPa7DGK5EHcQoKx3-kSwEXOh-oFHdYKzHQPk--ATeXfmzkEk5fWm1fApw"}
 [VERB] [HTTP] Request completed with status OK
 [VERB] [HTTP] Response content: {
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11944717714/y4DUiQ",
  "token": "OWQ0V9ZbAdz9NT5YjAV2VqOF2jWyqViGM4J6UVfJ-iY"
}
 [DBUG] Refreshing authorization (1/15)
 [DBUG] [HTTP] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11944717714/y4DUiQ
 [VERB] [HTTP] Request content: {"protected":"eyJhbGciOiJFUzI1NiIsInVybCI6Imh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvMTE5NDQ3MTc3MTQveTREVWlRIiwibm9uY2UiOiIxak52WGgwNy1lUVk0U0M4bEVPNjhwT1NSc0NXNUJWNTBxWWFHTGM4M2MtckhLZzZHZjQiLCJraWQiOiJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTQ0MDcyNzQ0In0","payload":"","signature":"8-Nz4LLMthEbJVcMso_Azly2Y_9Sive8BaHFl2FyinlklRBbZY1RWbqb3CpyJ9g1lYb8A8GbBEkt282hmG7EbA"}
 [VERB] [HTTP] Request completed with status OK
 [VERB] [HTTP] Response content: {
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11944717714/y4DUiQ",
  "token": "OWQ0V9ZbAdz9NT5YjAV2VqOF2jWyqViGM4J6UVfJ-iY"
}
 [DBUG] Refreshing authorization (2/15)
 [DBUG] [HTTP] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11944717714/y4DUiQ
 [VERB] [HTTP] Request content: {"protected":"eyJhbGciOiJFUzI1NiIsInVybCI6Imh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvMTE5NDQ3MTc3MTQveTREVWlRIiwibm9uY2UiOiJ6UjV6aTEwSjNPaEM0YmNkQ0RfMmktVENrU2pCd3kzUXA4M2dLOFhXaVAyWVNnRUc0cEkiLCJraWQiOiJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTQ0MDcyNzQ0In0","payload":"","signature":"FtKviDId4crUW9hcO-JkD16mZVVTn6Vgko7VOHXxHrg88odKdm-bsWytzAhBoaS8MZWOiqHKKri9YGRBOfD0jg"}
 [VERB] [HTTP] Request completed with status OK
 [VERB] [HTTP] Response content: {
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11944717714/y4DUiQ",
  "token": "OWQ0V9ZbAdz9NT5YjAV2VqOF2jWyqViGM4J6UVfJ-iY"
}
 [DBUG] Refreshing authorization (3/15)
 [DBUG] [HTTP] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11944717714/y4DUiQ
 [VERB] [HTTP] Request content: {"protected":"eyJhbGciOiJFUzI1NiIsInVybCI6Imh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvMTE5NDQ3MTc3MTQveTREVWlRIiwibm9uY2UiOiIxak52WGgwN3JEWE96eUdnYUFabWpMMDRLdnBVaFZjczgzOHhPUjRRa1pOeEVtcDNoeTgiLCJraWQiOiJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTQ0MDcyNzQ0In0","payload":"","signature":"yd979m0guEA8unRH3psHz39PJMKRryYf8F4BzqpJcRk7hWrTCERjsFFFGnzDKBk8jlyE_J7_4BAUPgHhWr_g6g"}
 [VERB] [HTTP] Request completed with status OK
 [VERB] [HTTP] Response content: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:connection",
    "detail": "72.32.48.52: Fetching http://navgate.com/.well-known/acme-challenge/OWQ0V9ZbAdz9NT5YjAV2VqOF2jWyqViGM4J6UVfJ-iY: Timeout during connect (likely firewall problem)",
    "status": 400
  },
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11944717714/y4DUiQ",
  "token": "OWQ0V9ZbAdz9NT5YjAV2VqOF2jWyqViGM4J6UVfJ-iY",
  "validationRecord": [
    {
      "url": "http://navgate.com/.well-known/acme-challenge/OWQ0V9ZbAdz9NT5YjAV2VqOF2jWyqViGM4J6UVfJ-iY",
      "hostname": "navgate.com",
      "port": "80",
      "addressesResolved": [
        "72.32.48.52"
      ],
      "addressUsed": "72.32.48.52",
      "resolverAddrs": [
        "A:10.0.32.86:26947",
        "AAAA:10.0.32.87:30752"
      ]
    }
  ],
  "validated": "2024-04-09T15:51:11Z"
}
 [EROR] [navgate.com] Authorization result: invalid
 [EROR] [navgate.com] {"type":"urn:ietf:params:acme:error:connection","detail":"72.32.48.52: Fetching http://navgate.com/.well-known/acme-challenge/OWQ0V9ZbAdz9NT5YjAV2VqOF2jWyqViGM4J6UVfJ-iY: Timeout during connect (likely firewall problem)","status":400,"instance":null}
 [VERB] Starting post-validation cleanup
 [VERB] Post-validation cleanup was succesful
 [INFO] [navgate.com] Deactivating pending authorization
 [DBUG] [HTTP] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11944717714
 [VERB] [HTTP] Request content: {"protected":"eyJhbGciOiJFUzI1NiIsInVybCI6Imh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMTE5NDQ3MTc3MTQiLCJub25jZSI6IjFqTnZYaDA3LUtJR0Z4dHRuZWVyVENReGFyUjdEcWpBQUo4d0hpeU5VaXkxRzNwNkJKRSIsImtpZCI6Imh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNDQwNzI3NDQifQ","payload":"eyJzdGF0dXMiOiJkZWFjdGl2YXRlZCJ9","signature":"gVLqerv6U1rMlBs593PbMxi-P-WUbOdp2V9QevrEbSR5kq3Oi3ckj347558azDBzYJOxqY_idybOTQBu4a3wRg"}
 [VERB] [HTTP] Request completed with status OK
 [VERB] [HTTP] Response content: {
  "identifier": {
    "type": "dns",
    "value": "navgate.com"
  },
  "status": "deactivated",
  "expires": "2024-04-16T15:51:11Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "72.32.48.52: Fetching http://navgate.com/.well-known/acme-challenge/OWQ0V9ZbAdz9NT5YjAV2VqOF2jWyqViGM4J6UVfJ-iY: Timeout during connect (likely firewall problem)",
        "status": 400
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11944717714/y4DUiQ",
      "token": "OWQ0V9ZbAdz9NT5YjAV2VqOF2jWyqViGM4J6UVfJ-iY",
      "validationRecord": [
        {
          "url": "http://navgate.com/.well-known/acme-challenge/OWQ0V9ZbAdz9NT5YjAV2VqOF2jWyqViGM4J6UVfJ-iY",
          "hostname": "navgate.com",
          "port": "80",
          "addressesResolved": [
            "72.32.48.52"
          ],
          "addressUsed": "72.32.48.52",
          "resolverAddrs": [
            "A:10.0.32.86:26947",
            "AAAA:10.0.32.87:30752"
          ]
        }
      ],
      "validated": "2024-04-09T15:51:11Z"
    }
  ]
}
 [VERB] Order 1/1 (Main): error Validation failed
 [VERB] Processing order 1/1: Main

This literally mean that your firewall is preventing Let's Encrypt from checking your domain using HTTP (TCP port 80). Open your firewall for TCP port 80 (HTTP) at both the Windows Firewall level and any cloud VM networking control panel you have. If the HTTP check cannot connect then http validation cannot be completed.

You can normally ignore issues related to web.config etc as IIS etc are bypassed by the app self hosting an http challenge listener ( [INFO] [navgate.com] Authorizing using http-01 validation (SelfHosting) in the log file)

I thought it was a firewall issue as well. I had my host check if port 80 was open as we are running a web server. The site is accessible on port 80 and host support confirmed it was open. This is what they found:

I can see that all traffic on port 80 is allowed on the firewall-

FW-34122-1089941# packet-tracer input ouTSIDE tcp 8.8.8.8 1234 72.32.48.52 80

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network OBJ-10.208.225.58
nat (rackconnect328,OUTSIDE) static 72.32.48.52 dns
Additional Information:
NAT divert to egress interface rackconnect328
Untranslate 72.32.48.52/80 to 10.208.225.58/80

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 72.32.50.1 using egress ifc OUTSIDE

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 101 in interface OUTSIDE
access-list 101 extended permit tcp any any eq www
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 101 in interface OUTSIDE
access-list 101 extended permit tcp any any eq www
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network OBJ-10.208.225.58
nat (rackconnect328,OUTSIDE) static 72.32.48.52 dns
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 126439641, packet dispatched to next module

Phase: 13
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.208.225.58 using egress ifc rackconnect328

Phase: 14
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address bc76.4e04.3dee hits 11964 reference 6

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: rackconnect328
output-status: up
output-line-status: up
Action: allow

FW-34122-1089941#

Also, I can confirm from firewall end that the server is responding to port 80-

FW-34122-1089941# ping tcp 10.208.225.58 80
Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to 10.208.225.58 port 80
from 10.208.255.150, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
FW-34122-1089941#

However, when I try to telnet to the server from my machine, it is not responding-

vish5122@DESKTOP-RIEVCRJ:~$ telnet 72.32.48.52 80
Trying 72.32.48.52...
telnet: Unable to connect to remote host: Connection timed out

I can hit the website in question navgate.com which is listening on port 80, but port check websites keeps saying the port is closed. I feel something wonky is happening with our firewall and will continue having our host investigate.

Yes, looks like. This site is helpful to debug comms setups for Let's Encrypt

What does the route table look like in the device with IP 10.208.225.58 ?
What do the firewall rules look like in the device with IP 10.208.225.58 ?

Screenshot 2024-04-11 094435728×822 30.1 KB

For firewall rule, or RackConnect as my host calls it, is set to allow all internet traffic on port 80 to all cloud servers. My host is investigating more.

I see two sets of repeated default routes:

Mind you, although there is only one currently active, it would be cleaner to remove any unnecessary routes from that list.

Does the Windows server have GUI?

Thanks for replying rg, this is getting above my pay grade. I will wait for Rackspace to respond and note your findings.

Keep in mind Windows Firewall or other software security products installed on your server (malware protection or some brands of Anti Virus). You probably have a rule that's only allowing HTTP from certain IP ranges or from certain geographic regions. The rackspace comment about firewall config is just about their own firewall, not the firewall software that runs on windows by default.

If you can access a site via HTTP and others can't then you are blocking HTTP (TCP port 80) somewhere, fix that and HTTP validation will start working.

It was an error on my part with the ASA firewall rules, port 80 is now open and Lets Debug is coming out OK. The debugging tools you developed came in handy for this arm chair IT admin.

Nmap scan report for 72.32.48.52
Host is up (0.085s latency).

PORT    STATE    SERVICE
22/tcp  filtered ssh
80/tcp  open     http
443/tcp filtered https

And from around the world
http - Permanent link to this check report results of "OK".
https - Permanent link to this check report results of "Connection timed out".

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.