Could not issue an SSL/TLS certificate BECAUSE looking on HTTP and not HTTPS

philip.wilford · October 14, 2020, 9:44pm

My domain is:
eastshockey.org.au

I ran this command:
Renew Certificates which is set to auto but fails

It produced this output:

Could not issue an SSL/TLS certificate for eastshockey.org.au
Details

Could not issue a Let's Encrypt SSL/TLS certificate for eastshockey.org.au .

The authorization token is not available at http://eastshockey.org.au/.well-known/acme-challenge/ath0TxWiyUwNpWIUZoddrkPuTjrjzSDfp8NtlTune3Y.

To resolve the issue, make sure that the token file can be downloaded via the above URL.

My web server is (include version):
IIS

The operating system my web server runs on is (include version):
Windows Server

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Plesk

QUESTION
I can see what is happening - the token is being created, but in a folder that requires HTTPS.
I did turn on HTTP to HTTPS redirect, but this seems its just for the folder content and NOT files.
What Config change do I need to make so that the file is available on HTTP or get the redirect to HTTPS work?
Running Windows Server IIS with Plesh desktop

Cheers
Philip

_az · October 14, 2020, 10:07pm

If I understand the problem correctly, your Plesk site only has an HTTPS binding, and not an HTTP one.

As a result, https://eastshockey.org.au/.well-known/acme-challenge/xyzxyz and http://eastshockey.org.au/.well-known/acme-challenge/xyzxyz refer to entirely different document roots.

I'm not super familiar with Plesk, but it might be the case that files under .well-known/acme-challenge/ are excluded from the site-wide 301 redirect. I know this is the case with Let's Encrypt integrations on other control panels.

If I were you, I try making sure that both HTTP and HTTPS bindings exist for the site. Then apply a 301 redirect using one of the two Alternative solutions for Windows Server listed here.

Otherwise, I guess you could try those solutions anyway and seeing whether it forces the contents of the acme-challenge directory to be redirected.

philip.wilford · October 22, 2020, 10:37pm

Hi Guys,

The problem seems to be WHERE the letsencrypt generates the request files.
It seems to put them in these two locations for me (one for website, one for email)
C:\Inetpub\vhosts[eastshockey.org.au](http://eastshockey.org.au)\httpdocs.well-known\acme-challenge

C:\Program Files (x86)\Plesk\Webmail\horde\horde.well-known\acme-challenge

Yet these can ONLY be accessed with HTTPS.

BUT Its seems that HTTP is looking here:
C:\Inetpub\vhosts\default\htdocs

So when LetsEncrypt creates the files here, I QUICKLY copy them into here, and it WORKS!
C:\Inetpub\vhosts\default\htdocs

I did also need to have a WEB.CONFIG to allow these files to be read.
C:\Inetpub\vhosts\default\htdocs\web.config needs to be this:

<?xml version="1.0" encoding="UTF-8"?>

I may be worth posting this "FIX" as I am sure there are others out there that experience this issue too.

Cheers
Philip

system · November 21, 2020, 10:37pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.