Error creating certificate with win-acme

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:www.pegnosicuro.it [46.37.26.119]

I ran this command:
C:\win-acme.v2.1.11.917.x64.pluggable>wacs --target manual --host www.pegnosicuro.it --validation filesystem --webroot "x:\pegnosicuro.it" --store pemfiles --pemfilespath "C:\xampp\apache\certs" --script "c:\EarScript\ApacheRestart.bat" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'" --emailaddress web@earinformatica.it --verbose

It produced this output:

[VERB] Verbose mode logging enabled
[VERB] Looking for settings.json in C:\win-acme.v2.1.11.917.x64.pluggable
[DBUG] Config folder: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org
[DBUG] Log path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Log
[DBUG] Cache path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates
[VERB] Arguments: --target manual --host www.pegnosicuro.it --validation filesystem --webroot x:\pegnosicuro.it --store pemfiles --pemfilespath C:\xampp\apache\certs --script c:\EarScript\ApacheRestart.bat --scriptparameters '{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}' --emailaddress web@earinformatica.it --verbose
[WARN] Found 2 files older than 120 days in cache path 'C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates'
[DBUG] Renewal period: 55 days
[VERB] Sending e-mails False

[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.1.11.917 (RELEASE, PLUGGABLE, 64-bit)
[INFO] ACME server https://acme-v02.api.letsencrypt.org/
[VERB] SecurityProtocol setting: SystemDefault
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory
[VERB] Request completed with status OK
[DBUG] Connection OK!
[INFO] IIS not detected
[INFO] Running with administrator credentials
[INFO] Scheduled task looks healthy
[INFO] Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)
[VERB] Test for international support: ?? ???? ???
[INFO] Running in mode: Unattended
[VERB] Adding 8.8.8.8 as DNS server
[VERB] Adding 1.1.1.1 as DNS server
[VERB] Adding 8.8.4.4 as DNS server
[INFO] Target generated using plugin Manual: www.pegnosicuro.it

[VERB] Targeted convert into 1 order(s)
[VERB] Checking [Manual] www.pegnosicuro.it
[VERB] Handle order 1/1: Main
[VERB] Creating order for hosts: ["www.pegnosicuro.it"]
[VERB] Loading ACME account signer...
[DBUG] Loading signer from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Signer_v2
[VERB] Constructing ACME protocol client...
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory
[VERB] Request completed with status OK
[DBUG] Send HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce
[VERB] Request completed with status OK
[VERB] Loading ACME account
[DBUG] Loading account information from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Registration_v2
[VERB] ACME client initialized
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/new-order
[VERB] Request completed with status Created
[VERB] Order https://acme-v02.api.letsencrypt.org/acme/order/99081561/211199514706 created
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/268423979456
[VERB] Request completed with status OK
[VERB] Handle authorization 1/1
[INFO] [www.pegnosicuro.it] Authorizing...
[VERB] [www.pegnosicuro.it] Initial authorization status: pending
[VERB] [www.pegnosicuro.it] Challenge types available: ["http-01", "dns-01", "tls-alpn-01"]
[VERB] [www.pegnosicuro.it] Initial challenge status: pending
[INFO] [www.pegnosicuro.it] Authorizing using http-01 validation (FileSystem)
[VERB] Writing file to x:\pegnosicuro.it.well-known\acme-challenge\8rmMeRV_c7GnJe04eGC51M3BoBh-FDHtW9b2yx22hz4
[INFO] Answer should now be browsable at http://www.pegnosicuro.it/.well-known/acme-challenge/8rmMeRV_c7GnJe04eGC51M3BoBh-FDHtW9b2yx22hz4
[DBUG] Send GET request to http://www.pegnosicuro.it/.well-known/acme-challenge/8rmMeRV_c7GnJe04eGC51M3BoBh-FDHtW9b2yx22hz4
[VERB] Request completed with status Forbidden
[WARN] Preliminary validation failed, the server answered '(null)' instead of '8rmMeRV_c7GnJe04eGC51M3BoBh-FDHtW9b2yx22hz4.7NFwJwnihjG2lKBX7RPhpgNtyjxt8ziZGMnBuQpfON4'. The ACME server might have a different perspective
[VERB] Starting commit stage
[VERB] Commit was succesful
[DBUG] [www.pegnosicuro.it] Submitting challenge answer
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/268423979456/61caJg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (1/15)
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/268423979456/61caJg
[VERB] Request completed with status OK
[EROR] [www.pegnosicuro.it] Authorization result: invalid
[EROR] [www.pegnosicuro.it] {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "46.37.26.119: Invalid response from http://www.pegnosicuro.it/.well-known/acme-challenge/8rmMeRV_c7GnJe04eGC51M3BoBh-FDHtW9b2yx22hz4: 403",
"status": 403
}
[VERB] Starting post-validation cleanup
[DBUG] Deleting files
[VERB] Deleting file x:\pegnosicuro.it.well-known\acme-challenge\8rmMeRV_c7GnJe04eGC51M3BoBh-FDHtW9b2yx22hz4
[DBUG] Deleting empty folders
[VERB] Deleting folder x:\pegnosicuro.it.well-known\acme-challenge
[VERB] Deleting folder x:\pegnosicuro.it.well-known
[VERB] Post-validation cleanup was succesful
[EROR] Create certificate failed: [www.pegnosicuro.it] Validation failed
[VERB] Exiting with status code -1

My web server is (include version):
Apache2.4

The operating system my web server runs on is (include version):
Win Server 2016

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi @DavideAmelio, and welcome to the LE community forum :slight_smile:

Ensure the ACME challenge path and file are reachable without authentication.

2 Likes

Thanks for reply

Must be. Because on the same folder ( for another domain alias ) i already generated a certificate, and works.

1 Like

But the error message says "unauthorized 403" = "requires authentication".

3 Likes

Here is vhost conf
the folder seems have permissions

<VirtualHost *:80>
ServerName www.pegnosicuro.it
# ServerAlias www.pegnosicuro.it
ServerAlias www.pegnosicuro.it
ServerAdmin web@earinformatica.it
DocumentRoot "X:/ilpegnosicuro.it/"
ErrorLog "logs/pegnosicuro.it-error.log"
CustomLog "logs/pegnosicuro.it-access.log" common

# RewriteEngine on
# RewriteCond %{SERVER_NAME} =pegnosicuro.it
# #RewriteCond %{SERVER_NAME} =pegnosicuro.it [OR]
# #RewriteCond %{SERVER_NAME} =www.pegnosicuro.it
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

# RewriteCond %{HTTPS} off
# RewriteCond %{HTTP:X-Forwarded-Proto} !https
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# SSLEngine on
# SSLCertificateFile "${CERTROOT}/www.pegnosicuro.it-crt.pem"
# SSLCertificateKeyFile "${CERTROOT}/www.pegnosicuro.it-key.pem"
# SSLCertificateChainFile "${CERTROOT}/www.pegnosicuro.it-chain.pem"

<Directory "X:/ilpegnosicuro.it/">
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order Deny,Allow
Allow from all
Require all granted
</Directory>
</VirtualHost>

Since we are dealing with Apache, please show the output of:
httpd.exe -t -D DUMP_VHOSTS

2 Likes

That is redundant.

2 Likes

why so replication?

port 80 namevhost www.ilpegnosicuro.it (C:/xampp/apache/conf/extra/httpd-vhosts.conf:195)
            alias www.ilpegnosicuro.it
port 80 namevhost www.pegnosicuro.it (C:/xampp/apache/conf/extra/httpd-vhosts.conf:231)
            alias www.pegnosicuro.it
            alias pegnosicuro.it
port 80 namevhost www.ilpegnosicuro.com (C:/xampp/apache/conf/extra/httpd-vhosts.conf:301)
            alias www.ilpegnosicuro.com
port 443 namevhost www.ilpegnosicuro.it (C:/xampp/apache/conf/extra/httpd-vhosts.conf:195)
             alias www.ilpegnosicuro.it
port 443 namevhost www.ilpegnosicuro.com (C:/xampp/apache/conf/extra/httpd-vhosts.conf:301)
             alias www.ilpegnosicuro.com

Please show this file:

Note: almost all the aliases are redundant

3 Likes

As i already Sended :

Note the second one (pegnosicuro.it ) is an alias to the first one ( ilpegnosicuro.it), at the moment is only on port 80 due to generate certificate : the First one worked in the past

<VirtualHost *:80 *:443>
ServerName www.ilpegnosicuro.it
ServerAlias www.ilpegnosicuro.it
ServerAdmin web@earinformatica.it
DocumentRoot "X:/ilpegnosicuro.it/"
ErrorLog "logs/ilpegnosicuro.it-error.log"
CustomLog "logs/ilpegnosicuro.it-access.log" common

RewriteEngine on
RewriteCond %{SERVER_NAME} =ilpegnosicuro.it
#RewriteCond %{SERVER_NAME} =ilpegnosicuro.it [OR]
#RewriteCond %{SERVER_NAME} =www.ilpegnosicuro.it
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

#RewriteCond %{HTTP_HOST} !^www\.
#RewriteRule ^\/?(.*)$ https://www.ilpegnosicuro.it/$1 [R=301,L]

RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

SSLEngine on
SSLCertificateFile "${CERTROOT}/www.ilpegnosicuro.it-crt.pem"
SSLCertificateKeyFile "${CERTROOT}/www.ilpegnosicuro.it-key.pem"
SSLCertificateChainFile "${CERTROOT}/www.ilpegnosicuro.it-chain.pem"

<Directory "X:/ilpegnosicuro.it/">
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order Deny,Allow
Allow from all
Require all granted
</Directory>
</VirtualHost>

#<VirtualHost *:80 *:443>
<VirtualHost *:80>
ServerName www.pegnosicuro.it
ServerAlias www.pegnosicuro.it pegnosicuro.it
# ServerAlias www.pegnosicuro.it
ServerAdmin web@earinformatica.it
DocumentRoot "X:/ilpegnosicuro.it/"
ErrorLog "logs/pegnosicuro.it-error.log"
CustomLog "logs/pegnosicuro.it-access.log" common

# RewriteEngine on
# RewriteCond %{SERVER_NAME} =pegnosicuro.it
# #RewriteCond %{SERVER_NAME} =pegnosicuro.it [OR]
# #RewriteCond %{SERVER_NAME} =www.pegnosicuro.it
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

# RewriteCond %{HTTPS} off
# RewriteCond %{HTTP:X-Forwarded-Proto} !https
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# SSLEngine on
# SSLCertificateFile "${CERTROOT}/www.pegnosicuro.it-crt.pem"
# SSLCertificateKeyFile "${CERTROOT}/www.pegnosicuro.it-key.pem"
# SSLCertificateChainFile "${CERTROOT}/www.pegnosicuro.it-chain.pem"

<Directory "X:/ilpegnosicuro.it/">
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order Deny,Allow
Allow from all
Require all granted
</Directory>
</VirtualHost>

This is a nightmare:

Change that one to:
<VirtualHost *:443>

4 Likes

Aliasing a name with the same name adds nothing.

Normally, that is:

ServerName      example.com
ServerAlias www.example.com

OR

ServerName  www.example.com
ServerAlias     example.com
3 Likes

now is only
<VirtualHost *:80> due to let let's encrypt open the page and check the certify

ServerName [www.ilpegnosicuro.it](http://www.ilpegnosicuro.it)
ServerAlias ilpegnosicuro.it

corrected

``

i read this on log

[WARN] Found 2 files older than 120 days in cache path 'C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates'
[DBUG] Renewal period: 55 days

could be this the problem?

SOLVED !!
my Fault ( of course ) the path for folder was wrongly mounted ( Y: instead X: )

Many Many Thanks for you supply and pacience Rudy!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.