Create certificate failed IIS7.5

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: staging.icarpetiles.com

Commands And Outputs:

C:\WACS>wacs

[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.1.2.641 (RELEASE, PLUGGABLE)
[INFO] IIS version 7.5
[INFO] Running with administrator credentials
[WARN] Scheduled task not configured yet
[INFO] Please report issues at https://github.com/PKISharp/win-acme

N: Create new certificate (simple for IIS)
M: Create new certificate (full options)
L: List scheduled renewals
R: Renew scheduled
S: Renew specific
A: Renew all
O: More options…
Q: Quit

Please choose from the menu: n

[INFO] Running in mode: Interactive, Simple

Please select which website(s) should be scanned for host names. You may
input one or more site identifiers (comma separated) to filter by those
sites, or alternatively leave the input empty to scan all websites.

2: iCarpetiles3 (1 binding)

Site identifier(s) or to choose all:

1: staging.icarpetiles.com (Site 2)

You may either choose to include all listed bindings as host names in your
certificate, or apply an additional filter. Different types of filters are
available.

1: Pick specific bindings from the list
2: Pick bindings based on a search pattern
3: Pick all bindings

How do you want to pick the bindings?:

1: staging.icarpetiles.com (Site 2)

Continue with this selection? (y*/n) -

[INFO] Target generated using plugin IIS: staging.icarpetiles.com
[INFO] Authorize identifier: staging.icarpetiles.com
[INFO] Authorizing staging.icarpetiles.com using http-01 validation (SelfHosting)
[EROR] Authorization result: pending
[EROR] Create certificate failed: Authorization failed

My web server is (include version): IIS version 7.5

The operating system my web server runs on is (include version): Win 2008R2

My hosting provider, if applicable, is: None (dedicated server)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Not sure what this means.

My other details: I’m behind a NAT, ports 80 & 443 are going to this site (External IP address is mapped to internal IP address). There’s only 1 website running on IIS (dotnetcore 2.2). I’ve done this before back in October (but via a completely different method - visit the site and you’ll see the expired certificate from letsencrypt), but cannot recall how I did it - though it was not with WACS. So the server is configured correctly, but the authorization is not working.
The current website (staging - pre-launch for testing purposes) was working fine before, but I’m not sure how I validated it. (I think I just generated a CSR, but don’t see how to use letsencrypt via the web to post the CSR and get a cert back).

Not sure how to proceed.

1 Like

Hi @bd9999

checking your domain there are only timeouts - https://check-your-website.server-daten.de/?q=staging.icarpetiles.com

Domainname Http-Status redirect Sec. G
http://staging.icarpetiles.com/
74.142.3.194 -14 10.016 T
Timeout - The operation has timed out
https://staging.icarpetiles.com/
74.142.3.194 -14 10.030 T
Timeout - The operation has timed out
http://staging.icarpetiles.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
74.142.3.194 -14 10.027 T
Timeout - The operation has timed out

So your selected http validation can’t work.

A working webserver (port 80) is required if you want to use http validation.

Please start with some basics:

Then read something about Challenge types:

Then check your firewall and your internal setup, why your server isn’t visible.

1 Like

Working fine from here: no timeouts, however, the certificate expired message is showing (as it should).

Could it be that, because http requests are immediately redirected to https , this won’t work?
I can just put a basic HTML template site up (same address, just a folder not running DotNetCore app) and try again. That way there’s no redirection (the store software redirects automatically and is compiled that way), though, this would have to be done manually every time (though, I may be able to write console code that will change the folder of the IIS website just before the other schedule, then change back after a few minutes)

Please read the shared documents.

I read that. http auth is not possible w/this site (nopcommerce changes to make it work would have to be manually undone every 3 months). Sitelutions has an API for DNS control, so I’ll experiment to see if I can make it work (I need to take a course on powershell first :slight_smile: )

Found out that their ISP (Charter) suddenly started blocking port 80 (but not 443 - go figure), and said to use a different port, so there is no way to do this via http authorization nor dns authorization if you have Charter (business or residential). So doing a staging website at a business with Charter is pretty much impossible. So I’ve been driving myself nuts for no other reason that Charter is blocking port 80 traffic ($300/mo business account and they treat companies like little children!!!). They also prevent accounts from running DNS servers (blocking traffic!), so the third option is out as well. What a mess.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.