Error 403 - Creating a new certificate

Help Ayuda (en Español)
1

Buenas tardes,
Necesitamos crear un nuevo certificado en un servidor, utilizamos ACME, y nos aparece el error 403.

No sé si puede ser problema del puerto 443 (¿?)

Puedo leer las respuestas en Inglés (sí o no): Sí
Mi dominio es: promo-soft.eu
Ejecuté este comando: WACS (ACMEc2 client)
Produjo esta salida:"acme:error:unauthorized","detail":"During secondary validation".
Mi servidor web es (incluya la versión):

El sistema operativo en el que se ejecuta mi servidor web es (incluya la versión): Windows Server 2019 (version 1809) - IIS (Versión 10.0.17763.1)
Puedo iniciar una sesión en una shell root en mi servidor (sí, no o no lo sé): Sí
Estoy usando un panel de control para administrar mi sitio (no o proporcione el nombre y la versión del panel de control): no (creo...)
La versión de mi cliente es: Acme 2.2.9.1701

Muchas gracias! :slight_smile:

1 Like
2

Can you please post the rest of the error message? That looks like it's just the first part.

Just looking at the domain name, DNSViz doesn't like something about how DNSSEC is set up for the domain, but I don't actually know how to interpret what it's saying or if it's actually the problem you're running into:

https://dnsviz.net/d/promo-soft.eu/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&tk=

3 Likes
3

Produjo esta salida:"acme:error:unauthorized","detail":"During secondary validation".

Por favor, vea

Puede ser otra cosa, pero "During secondary validation" en la mayoría de veces es esto.

3 Likes
4

Hi @petercooperjr,
The full message is:

"Source generated using plugin IIS: backupvcc.promo-soft.eu
Plugin IIS generated source backupvcc.promo-soft.eu with 1 identifiers
Plugin Single created 1 order
Cached order has status invalid, discarding
[backupvcc.promo-soft.eu] Authorizing...
[backupvcc.promo-soft.eu] Authorizing using http-01 validation (SelfHosting)
[backupvcc.promo-soft.eu] Authorization result: invalid
[backupvcc.promo-soft.eu] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"During secondary validation: XXX.XXX.XXX.XXX: Invalid response from http://backupvcc.promo-soft.eu/.well-known/acme-challenge/gkD6d_HpPN4kXjsK2zUY6F_g9bkK6WRPq-F_rn-C0sY: 403","status":403,"instance":null}
[backupvcc.promo-soft.eu] Deactivating pending authorization"

Thanks.

Jordi.

1 Like
5

Hi @schoen,
Honestly, I have reviewed what you have indicated, but I don't know where to start.
Any ideas? :sweat_smile:
Thank you!
Jordi.

1 Like
6

So that server backupvcc.promo-soft.eu seems to be returning a 403 forbidden error from many places around the world. There is probably some sort of firewall blocking those connections. So Let's Encrypt can't confirm that you control that name.

4 Likes
7

Hi @petercooperjr,
Is it possible that I need to add port 443 as Binding in my IIS?
When I try to add it, it tells me that there is another application that uses it and it won't let me add it.
Any ideas ?
Thank you so much!!!

1 Like
8

It's been a couple decades since I last working on configuring IIS, so I don't think I personally can give you advice in that regard, though there are some Windows server experts on this forum so someone else might be able to help.

But I tend to doubt that it's an IIS setting, since it looks like some locations it's working from. It's probably some sort of firewall or "network protection" which is blocking Let's Encrypt amongst other things that it's blocking.

3 Likes
9

Hi @petercooperjr,
I have reviewed the server and network FW, and I see that the rules are well created towards port 80.
Thank you very much for your help.
Any ideas, anyone? :slight_smile:
Jordi.

1 Like
10

What's happening is:

  • your firewall is blocking some countries from access your server for http (TCP port 80), this is causing "secondary" validation to fail
  • when you just try to access the challenge URL when win-acme is not running IIS responds, if win-acme was running it would respond instead.
3 Likes
11

@Promosoft here is the error your server or firewall returns when a blocked country tries to access your site:

image
image2073×646 57.9 KB

4 Likes
12

@webprofusion The issue is solved... the problem was de Threat Prevention of the firewall.

I have already been able to generate/renew the certificate.
Thank you very much for your help!
Jordi.

3 Likes
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.