Create certificate for 2008R2 and the DefaultWebSite

I just want to create a certificate for my SBS2010 (which is a 2008R2) to access the Outlook-Web-Access.
My login is https://remote.mydomain.com/owa

What I did:

  • downloaded and extracted win-acme.v2.0.5.246.zip
  • run cmd.exe as admin in the extracted folder
  • created C:\inetpub\wwwroot\.well-known\acme-challenge
  • put in the configcheck file
  • created a web.config with

Then I run wacs.exe:

  • M: create with adv. options
  • 4: Manually input host names
  • put in cname: remote.mydom.com
  • 5: [http-01] Save file on local or network path
  • entered: c:\inetpub\wwwroot
  • copy default web.config no :slight_smile:
  • 2: Standard RSA key pair
  • 2: Windows Certificate Store
  • 1: Create or update https bindings in IIS
  • 1: Default Web Site

and always end up with something like:

[WARN] First chance error calling into ACME server, retrying with new nonce…
[INFO] Authorize identifier: remote.mydom.com
[INFO] Authorizing remote.hobel.at using http-01 validation (FileSystem)
[INFO] Answer should now be browsable at http://remote.mydom.com/.well-known/acme-challenge/1jGe-TbI4o3KVQNPqSbKUYsQEhtKbJgFWqZVGOusUg0
[INFO] Preliminary validation looks good, but ACME will be more thorough…
[EROR] {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://remote.mydom.com/.well-known/acme-challenge/1jGe-TbI4o3KVQNPqSbKUYsQEhtKbJgFWqZVGOusUg0: Connection refused”,
“status”: 400
}
[EROR] Authorization result: invalid
[EROR] Create certificate failed: Authorization failed

I see the generated file for a second in the explorer.
If I put in manually a file with this name into the folder I can fetch it (so I get not a HTTP-400 Error)
Also tried to fetch from outside to access this url which was also working

And now I just get:

[WARN] First chance error calling into ACME server, retrying with new nonce…
[EROR] AcmeProtocolException: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/

Also tried with method “4: http-01” -> same result
Also tried “N: Create new certificate” -> this wont offer me the Default-Web-Site

Any ideas how to fix this?

Hi @SchRobert

what’s your domain name?

is this an internal CNAME? The effective ip of remote.mydom.com must be the ip address of the server you run that tool. If this is a CNAME that points to another server, you can’t create a certificate (with http-01-validation).

So without your domain name it’s impossible to check that.

“Connection refused” sounds like “There is a blocking firewall” or “no http configured”.

You can create a certificate via dns-01 validation. But you have to create a dns TXT entry. If your dns provider doesn’t support an API, you have to redo that every 60 - 85 days.

I mean cname for “common name”. In DNS there is are just single A-Records for this name. One at the DNS-Server of the SBS itselve - pointing to the private IP address and another one at the public DNS-Server for the public IP-Address.

The certificate should only contain the name of the site (remote.mydom.com) and nothing about an IP-Adress !?

Please answer the following questions. It’s the standard template of #help


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Ok, once more using the standard template:

My domain is: hobel.at
The Site-Name I need the certificate is: remote.hobel.at

I ran this commands:

  • downloaded and extracted win-acme.v2.0.5.246.zip

  • run cmd.exe as admin in the extracted folder

  • created C:\inetpub\wwwroot.well-known\acme-challenge

  • put in the configcheck file

  • created in this folder a web.config with:
    <configuration> <system.webServer> <validation validateIntegratedModeConfiguration="false" /> <staticContent> <!--mimeMap fileExtension="." mimeType="text/json" /--> <mimeMap fileExtension="." mimeType="text/plain" /> </staticContent> </system.webServer> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </configuration>

  • enabled port 80 on the firewall.

The server is running on a private ipv4 net and a single ip is forwarded to the server.

Now I can fetch http://remote.hobel.at/.well-known/acme-challenge/configcheck and get the content of the configcheck-file

Then I run wacs.exe:

  • M: create with adv. options
  • 4: Manually input host names
  • put in cname: remote.hobel.at
  • 5: [http-01] Save file on local or network path
  • entered: c:\inetpub\wwwroot
  • copy default web.config no :slight_smile:
  • 2: Standard RSA key pair
  • 2: Windows Certificate Store
  • 1: Create or update https bindings in IIS
  • 1: Default Web Site

It produced this output:
[WARN] First chance error calling into ACME server, retrying with new nonce…
[INFO] Authorize identifier: remote.mydom.com
[INFO] Authorizing remote.hobel.at using http-01 validation (FileSystem)
[INFO] Answer should now be browsable at http://remote.hobel.at/.well-known/acme-challenge/1jGe-TbI4o3KVQNPqSbKUYsQEhtKbJgFWqZVGOusUg0
[INFO] Preliminary validation looks good, but ACME will be more thorough…
[EROR] {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://remote.hobel.at/.well-known/acme-challenge/1jGe-TbI4o3KVQNPqSbKUYsQEhtKbJgFWqZVGOusUg0: Connection refused”,
“status”: 400
}
[EROR] Authorization result: invalid
[EROR] Create certificate failed: Authorization failed

My web server is (include version): IIS 7.5

The operating system my web server runs on is (include version): SBS2011 (which is a 2008R2) - all updates installed

My hosting provider, if applicable, is: netplanet for the DNS, the SBS runs on-premise at the customer in a private network.

I can login to a root shell on my machine (yes or no, or I don’t know): Of course, I run all the statements form a local cmd.exe

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Previously tried CertifyTheWeb which throwed a similar error.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Not knowing anything about a certbot or another bot - I am human.
Im just using win-acme.v2.0.5.246.zip

The DNS-Records are:

  • On the server itselve (NS 127.0.0.1): A single A-Record to the private IP (v4)
  • From outside (NS dns1.netplanet.at): A single A-Record to the public IP (v4)

Maybe there is something in the web.config missing? The sample web-configs with ’ <mimeMap fileExtension=".*" mimeType="text/plain" />’ did not work. Using ‘text/plain’ or ‘text/json’ did not change the returned error.

I could ask the provider if there is an API to use the dns-methods but I think there isn’t any API available.

Sorry, I wanted to fill the template but i cannot save
=> “content is to similar”

A also cannot alter the initial post
A also cannot delete the initial post

So I can only answer with multiple posts:

Ok, once more using the standard template:

My domain is: hobel.at
The Site-Name I need the certificate is: remote.hobel.at

I ran this commands:

  • downloaded and extracted win-acme.v2.0.5.246.zip
  • run cmd.exe as admin in the extracted folder
  • created C:\inetpub\wwwroot.well-known\acme-challenge
  • put in the configcheck file
  • created in this folder a web.config with:
    <configuration> <system.webServer> <validation validateIntegratedModeConfiguration="false" /> <staticContent> <!--mimeMap fileExtension="." mimeType="text/json" /--> <mimeMap fileExtension="." mimeType="text/plain" /> </staticContent> </system.webServer> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </configuration>
  • enabled port 80 on the firewall.

The server is running on a private ipv4 net and a single ip is forwarded to the server.

Now I can fetch http://remote.hobel.at/.well-known/acme-challenge/configcheck and get the content of the configcheck-file

Then I run wacs.exe:

  • M: create with adv. options
  • 4: Manually input host names
  • put in cname: remote.hobel.at
  • 5: [http-01] Save file on local or network path
  • entered: c:\inetpub\wwwroot
  • copy default web.config no :slight_smile:
  • 2: Standard RSA key pair
  • 2: Windows Certificate Store
  • 1: Create or update https bindings in IIS
  • 1: Default Web Site

It produced this output:
[WARN] First chance error calling into ACME server, retrying with new nonce…
[INFO] Authorize identifier: remote.mydom.com
[INFO] Authorizing remote.hobel.at using http-01 validation (FileSystem)
[INFO] Answer should now be browsable at http://remote.hobel.at/.well-known/acme-challenge/1jGe-TbI4o3KVQNPqSbKUYsQEhtKbJgFWqZVGOusUg0
[INFO] Preliminary validation looks good, but ACME will be more thorough…
[EROR] {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://remote.hobel.at/.well-known/acme-challenge/1jGe-TbI4o3KVQNPqSbKUYsQEhtKbJgFWqZVGOusUg0: Connection refused”,
“status”: 400
}
[EROR] Authorization result: invalid
[EROR] Create certificate failed: Authorization failed

My web server is (include version): IIS 7.5

The operating system my web server runs on is (include version): SBS2011 (which is a 2008R2) - all updates installed

My hosting provider, if applicable, is: netplanet for the DNS, the SBS runs on-premise at the customer in a private network.

I can login to a root shell on my machine (yes or no, or I don’t know): Of course, I run all the statements form a local cmd.exe

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Previously tried CertifyTheWeb which throwed a similar error.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Not knowing anything about a certbot or another bot - I am human.
Im just using win-acme.v2.0.5.246.zip

The DNS-Records are:

  • On the server itselve (NS 127.0.0.1): A single A-Record to the private IP (v4)
  • From outside (NS dns1.netplanet.at): A single A-Record to the public IP (v4)

Maybe there is something in the web.config missing? The sample web-configs with ’ <mimeMap fileExtension=".*" mimeType="text/plain" />’ did not work. Using ‘text/plain’ or ‘text/json’ did not change the returned error.

I could ask the provider if there is an API to use the dns-methods but I think there isn’t any API available.

  • enabled port 80 on the firewall.

The server is running on a private ipv4 net and a single ip is forwarded to the server.

Now I can fetch http://remote.hobel.at/.well-known/acme-challenge/configcheck and get the content of the configcheck-file

Then I run wacs.exe:

  • M: create with adv. options
  • 4: Manually input host names
  • put in cname: remote.hobel.at
  • 5: [http-01] Save file on local or network path
  • entered: c:\inetpub\wwwroot
  • copy default web.config no :slight_smile:
  • 2: Standard RSA key pair
  • 2: Windows Certificate Store
  • 1: Create or update https bindings in IIS
  • 1: Default Web Site

It produced this output:
[WARN] First chance error calling into ACME server, retrying with new nonce…
[INFO] Authorize identifier: remote.mydom.com
[INFO] Authorizing remote.hobel.at using http-01 validation (FileSystem)
[INFO] Answer should now be browsable at http://remote.hobel.at/.well-known/acme-challenge/1jGe-TbI4o3KVQNPqSbKUYsQEhtKbJgFWqZVGOusUg0
[INFO] Preliminary validation looks good, but ACME will be more thorough…
[EROR] {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://remote.hobel.at/.well-known/acme-challenge/1jGe-TbI4o3KVQNPqSbKUYsQEhtKbJgFWqZVGOusUg0: Connection refused”,
“status”: 400
}
[EROR] Authorization result: invalid
[EROR] Create certificate failed: Authorization failed

My web server is (include version): IIS 7.5

The operating system my web server runs on is (include version): SBS2011 (which is a 2008R2) - all updates installed

My hosting provider, if applicable, is: netplanet for the DNS, the SBS runs on-premise at the customer in a private network.

I can login to a root shell on my machine (yes or no, or I don’t know): Of course, I run all the statements form a local cmd.exe

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Previously tried CertifyTheWeb which throwed a similar error.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Not knowing anything about a certbot or another bot - I am human.
Im just using win-acme.v2.0.5.246.zip

The DNS-Records are:

  • On the server itselve (NS 127.0.0.1): A single A-Record to the private IP (v4)
  • From outside (NS dns1.netplanet.at): A single A-Record to the public IP (v4)

Maybe there is something in the web.config missing? The sample web-configs with ’ <mimeMap fileExtension=".*" mimeType="text/plain" />’ did not work. Using ‘text/plain’ or ‘text/json’ did not change the returned error.

I could ask the provider if there is an API to use the dns-methods but I think there isn’t any API available.

My web server is (include version): IIS 7.5

The operating system my web server runs on is (include version): SBS2011 (which is a 2008R2) - all updates installed

My hosting provider, if applicable, is: netplanet for the DNS, the SBS runs on-premise at the customer in a private network.

I can login to a root shell on my machine (yes or no, or I don’t know): Of course, I run all the statements form a local cmd.exe

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Previously tried CertifyTheWeb which throwed a similar error.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Not knowing anything about a certbot or another bot - I am human.
Im just using win-acme.v2.0.5.246.zip

The DNS-Records are:

  • On the server itselve (NS 127.0.0.1): A single A-Record to the private IP (v4)
  • From outside (NS dns1.netplanet.at): A single A-Record to the public IP (v4)

Maybe there is something in the web.config missing? The sample web-configs with ’ <mimeMap fileExtension=".*" mimeType="text/plain" />’ did not work. Using ‘text/plain’ or ‘text/json’ did not change the returned error.

I could ask the provider if there is an API to use the dns-methods but I think there isn’t any API available.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Not knowing anything about a certbot or another bot - I am human.
Im just using win-acme.v2.0.5.246.zip

The DNS-Records are:

  • On the server itselve (NS 127.0.0.1): A single A-Record to the private IP (v4)
  • From outside (NS dns1.netplanet.at): A single A-Record to the public IP (v4)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Not knowing anything about a certbot or another bot - I am human.
Im just using win-acme.v2.0.5.246.zip

The DNS-Records are:

  • On the server itselve (NS 127.0.0.1): A single A-Record to the private IP (v4)
  • From outside (NS dns1.netplanet.at): A single A-Record to the public IP (v4)

Maybe there is something in the web.config missing? The sample web-configs with ’ <mimeMap fileExtension=".*" mimeType="text/plain" />’ did not work. Using ‘text/plain’ or ‘text/json’ did not change the returned error.

I could ask the provider if there is an API to use the dns-methods but I think there isn’t any API available.

That’s interesting.

You have created a correct configuration file to allow files without extensions.

And your test file works.

Extensionless File Config Test - OK

Checking your

http://remote.hobel.at/.well-known/acme-challenge/1jGe-TbI4o3KVQNPqSbKUYsQEhtKbJgFWqZVGOusUg0

there is the correct http status 404 - not found. But no connection refused - error.

Checking your domain there is no problem visible ( https://check-your-website.server-daten.de/?q=remote.hobel.at ):

Domainname Http-Status redirect Sec. G
http://remote.hobel.at/
80.64.140.82 302 HTTPS://remote.hobel.at/remote 0.676 A
https://remote.hobel.at/
80.64.140.82 302 HTTPS://remote.hobel.at/remote 0.380 N
Certificate error: RemoteCertificateChainErrors
HTTPS://remote.hobel.at/remote 302 https://remote.hobel.at/Remote/logon?ReturnUrl=%2Fremote 2.486 N
Certificate error: RemoteCertificateChainErrors
https://remote.hobel.at/Remote/logon?ReturnUrl=%2Fremote 200 1.400 N
Certificate error: RemoteCertificateChainErrors
http://remote.hobel.at/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
80.64.140.82 404 0.083 A
Not Found
Visible Content: Serverfehler 404 - Datei oder Verzeichnis wurde nicht gefunden. Die gesuchte Ressource wurde möglicherweise entfernt oder umbenannt, oder sie steht vorübergehend nicht zur Verfügung.

No redirect http -> https in /.well-known/, the expected http status 404 - not found. And there are no older certificates, so it’s your first certificate with that server.

Is there something like a bot detection that blocks?

hobel.at has a different ip address - 195.95.163.21.

Which ip address uses your client?

The web server has still the old self-signed certificate - which I want to replace now.

So any https/certificate checks are useless.

Other *.hobel.at names have differnet ip addresses (I’m using different internet connections for mail and the www.hobel.at is located at the ISP)

(I just republished a bunch of posts that were incorrectly marked as spam - sorry for the duplicates)

But now it’s a problem of your client (and I don’t use that client).

The test file works.

But if the client creates a file, Letsencrypt doesn’t see that file.

Are there additional debug options? Or a better log?

What do you mean with “my client”?

Whe “wacs.exe” tool? Or my IIS? Or is there someone else running somehting like a “client” ???

That’s your Letsencrypt client.

So you mean the letsencrypt itselve is doing something wrong… fine.
What does this mean: win-acme.v2.0.5.246 is not compatible with IIS 7.5 and Server 2008R2 ?

Does anone know a tool which is working with server2008r2 - ar maybe a older version of the wacs?