Create Certificate Failed On Server 2019 Self Hosting

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: pacs.holycrosskottiyam.org:5938

I ran this command: A simple Windows ACMEv2 client (WACS)
Software version 2.2.9.1701 (release, trimmed, standalone, 64-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...
Connection OK!
Scheduled task not configured yet
Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)

N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (0 total)
O: More options...
Q: Quit

Please choose from the menu: n

Running in mode: Interactive, Simple

Please select which website(s) should be scanned for host names. You may
input one or more site identifiers (comma-separated) to filter by those
sites, or alternatively leave the input empty to scan all websites.

1: Default Web Site (1 binding)

Site identifier(s) or to choose all: 1

1: pacs.holycrosskottiyam.org:5938 (Site 1, http)

Listed above are the bindings found on the selected site(s). By default all
of them will be included, but you may either pick specific ones by typing the
host names or identifiers (comma-separated) or filter them using one of the
options from the menu.

P: Pick bindings based on a search pattern
A: Pick all bindings

Binding identifiers(s) or menu option: a

1: pacs.holycrosskottiyam.org:5938 (Site 1, http)

Continue with this selection? (y*/n) - yes

It produced this output: Source generated using plugin IIS: pacs.holycrosskottiyam.org

Plugin IIS generated source pacs.holycrosskottiyam.org with 1 identifiers
Plugin Single created 1 order
Cached order has status invalid, discarding
[pacs.holycrosskottiyam.org] Authorizing...
[pacs.holycrosskottiyam.org] Authorizing using http-01 validation (SelfHosting)
[pacs.holycrosskottiyam.org] Authorization result: invalid
[pacs.holycrosskottiyam.org] {"type":"urn:ietf:params:acme:error:connection","detail":"111.92.41.11: Fetching http://pacs.holycrosskottiyam.org/.well-known/acme-challenge/OK_M5-usD_Tc7R4Ucm4D6WtXrYOsdPUjKhHQyh40j0s: Timeout during connect (likely firewall problem)","status":400,"instance":null}
[pacs.holycrosskottiyam.org] Deactivating pending authorization

My web server is (include version): Windows ISS 2019 ISS Ver 10.0

The operating system my web server runs on is (include version): Windows Server 2019

Please help me to install SSL Certificate

You're nearly there but you need to allowing incoming TCP port 80 connections for HTTP domain validation to work. Normally that means opening http (or incoming TCP port 80) in Windows Firewall and also in any Cloud hosting networking configuration.

Currently according to your log your are hosting an http site, but on port 5938. That's ok, but http domain validation will only work on TCP port 80, win-acme will help with that so you don't have to change your IIS site, but your firewall still needs to allow it.

Alternatively if you can't use HTTP domain validation you could switch to DNS domain validation, and it looks like your domain is using AWS, so there are usually plenty of plugins to help with that.

4 Likes

Another problem is that you have two ip addresses in your dns.

;; ANSWER SECTION:
pacs.holycrosskottiyam.org.	0	IN	A	111.92.41.11
pacs.holycrosskottiyam.org.	0	IN	A	61.1.182.60

These look like they point to very different places. Normally there should be just one for the public IP address of your server

5 Likes

yes we have 2 static IP

Please help me to validate based on below plugins
7: [dns] Create verification records with acme-dns (GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.)
8: [dns] Create verification records with your own script

We removed port no 5938 and point to 80 and set it to a single static IP -61.1.182.60
Please help me to solve my issue

What is the latest error message?

3 Likes

Same error which share before

I can't connect to the name, nor IP, via HTTP.
Is there a web server listening?
If so, is there a firewall blocking?

2 Likes

pacs.holycrosskottiyam.org
check this

I did.

curl -Ii http://pacs.holycrosskottiyam.org/
curl -Ii 111.92.41.11

Both fail to connect.

1 Like

A simple Windows ACMEv2 client (WACS)
Software version 2.2.9.1701 (release, trimmed, standalone, 64-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...
Connection OK!
Scheduled task not configured yet
Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)

N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (0 total)
O: More options...
Q: Quit

Please choose from the menu: N

Running in mode: Interactive, Simple

Please select which website(s) should be scanned for host names. You may
input one or more site identifiers (comma-separated) to filter by those
sites, or alternatively leave the input empty to scan all websites.

1: Default Web Site (1 binding)

Site identifier(s) or to choose all: 1

1: pacs.holycrosskottiyam.org (Site 1)

Listed above are the bindings found on the selected site(s). By default all
of them will be included, but you may either pick specific ones by typing the
host names or identifiers (comma-separated) or filter them using one of the
options from the menu.

P: Pick bindings based on a search pattern
A: Pick all bindings

Binding identifiers(s) or menu option: A

1: pacs.holycrosskottiyam.org (Site 1)

Continue with this selection? (y*/n) - yes

Source generated using plugin IIS: pacs.holycrosskottiyam.org

Plugin IIS generated source pacs.holycrosskottiyam.org with 1 identifiers
Plugin Single created 1 order
Cached order has status invalid, discarding
[pacs.holycrosskottiyam.org] Authorizing...
[pacs.holycrosskottiyam.org] Authorizing using http-01 validation (SelfHosting)
[pacs.holycrosskottiyam.org] Authorization result: invalid
[pacs.holycrosskottiyam.org] {"type":"urn:ietf:params:acme:error:connection","detail":"61.1.182.60: Fetching http://pacs.holycrosskottiyam.org/.well-known/acme-challenge/AF-IZkEPAltLj8MsiKtepErx2Gv_TLGPoEAn96GYE3Y: Timeout during connect (likely firewall problem)","status":400,"instance":null}
[pacs.holycrosskottiyam.org] Deactivating pending authorization

This is the error msg.

we can enter by http://pacs.holycrosskottiyam.org

I see the same problem.

You need to have a working HTTP site before HTTP authentication can be used to validate it.

2 Likes

Good for you.
But from my IP, not so good :frowning:

Is there any Geo-Blocking in place?
Can you check the firewall logs?

3 Likes

What if you try that from the public internet? Like using a mobile phone with Wi-fi disabled

3 Likes

Is Pacs.holycrosskottiyam.org down? Live status and problems past 24 hours
Shows:

4 Likes

Please check now. Our Firewall have one rule India Access Only than one we removed.

2 Likes

Much better!:

curl -Ii http://pacs.holycrosskottiyam.org/.well-known/acme-challeng/Test_File-1234
HTTP/1.1 404 Not Found
Content-Length: 1245
Content-Type: text/html
Server: MEDPACS
X-Powered-By: MEDPACS
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
content-security-policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'
strict-transport-security: max-age=31536000; includeSubDomains; preload
Date: Thu, 24 Oct 2024 13:26:49 GMT

4 Likes

SSL was created but it shows not secure