Failed authorization on windows using letsencrypt-win-simple

I’m trying to generate and install a certificate on Windows Server 2012 R2. However, I keep getting fails.

Note:

1. The server is in China and doesn’t have IPV6 enabled (the host doesn’t support it)
2. I’ve opened a thread on the letsencrypt-win-simple github - https://github.com/Lone-Coder/letsencrypt-win-simple/issues/541 but would like further insight into this issue from LE directly too.
3. I tried and failed so many times that I got the temp ban for the domain.
4. I’ve used this service successfully on a few other non-chinese servers, so I at least know what a good result should be!
5. When the script is attempting authorization, I can immediately view the file from a browser anywhere else on the planet.
6. I can ping outbound1.letsencrypt.org from the Chinese server
7. Port 80 is open to the world.

Here are the results of the latest run:

C:\Users\Fred>C:_scripts\letsencrypt-win-simple.V1.9.3\letsencrypt.exe --test
The global logger has been configured
Let’s Encrypt (Simple Windows ACME Client)
Renewal Period: 3650
Certificate Store: WebHosting
ACME Server: https://acme-staging.api.letsencrypt.org/
Config Folder: C:\Users\Fred\AppData\Roaming\letsencrypt-win-simple\httpsacme-staging.api.letsencrypt.org
Certificate Folder: C:\Users\Fred\AppData\Roaming\letsencrypt-win-simple\httpsacme-staging.api.letsencrypt.org
Loading Signer from C:\Users\Fred\AppData\Roaming\letsencrypt-win-simple\httpsacme-staging.api.letsencrypt.org\Signer
Getting AcmeServerDirectory
Loading Registration from C:\Users\Fred\AppData\Roaming\letsencrypt-win-simple\httpsacme-staging.api.letsencrypt.org\Registration
Scanning IIS Site Bindings for Hosts
1: IIS demoDOTwebportglobalDOTcn (C:_websites\demoDOTwebportglobalDOTcn)
2: IIS mergeDOTwebportglobalDOTcn (C:_websites\emptysite)
3: IIS wwwDOTwebportglobalDOTcn (C:_websites\wwwDOTwebportglobalDOTcn)

W: Generate a certificate via WebDav and install it manually.
F: Generate a certificate via FTP/ FTPS and install it manually.
M: Generate a certificate manually.
A: Get certificates for all hosts
Q: Quit
Choose from one of the menu options above: 2
Authorizing Identifier mergeDOTwebportglobalDOTcn Using Challenge Type http-01
Writing challenge answer to C:_websites\emptysite.well-known/acme-challenge/2EPm_Uv9OdignbAVIIv9qm-SNq0bFTGpOYGtTvWQElc
Writing web.config to add extensionless mime type to C:_websites\emptysite.well-known\acme-challenge\web.config
Answer should now be browsable at http://mergeDOTwebportglobalDOTcn/.well-known/acme-challenge/2EPm_Uv9OdignbAVIIv9qm-SNq0bFTGpOYGtTvWQElc
Submitting answer
Refreshing authorization
Refreshing authorization
Refreshing authorization
Refreshing authorization
Refreshing authorization
Refreshing authorization
Refreshing authorization
Refreshing authorization
Authorization Result: invalid
Authorization Failed invalid

The ACME server was probably unable to reach http://mergeDOTwebportglobalDOTcn/.well-known/acme-challenge/2EPm_Uv9OdignbAVIIv9qm-SNq0bFTGpOYGtTvWQElc

Check in a browser to see if the answer file is being served correctly.
Authorize failed: This could be caused by IIS not being setup to handle extensionless static files.Here’s how to fix that:
1.In IIS manager goto Site/ Server->Handler Mappings->View Ordered List
2.Move the StaticFile mapping above the ExtensionlessUrlHandler mappings. (like this http://i.stack.imgur.com/nkvrL.png)
3.If you need to make changes to your web.config file, update the one at C:_scripts\letsencrypt-win-simple.V1.9.3\web_config.xml

Press enter to continue.

So I’m trying to figure out a way to either get this to work by verifying over IPV4 (they say the service should automatically failover to IPV4 if IPV6 isn’t available) OR get the dns challenge to work. Cerbot uses the ‘–preferred-challenges=dns’ parameter, but I cannot find an equivalent command for letsencrypt-win-simple.

needs IPV4: Failed authorization on windows
service should failover gracefully: https://community.letsencrypt.org/t/certbot-ipv6-not-configured-and-challenges-fail-ipv6- preferred/34645/4
Manual DNS challenge: https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation

Hi @lanceosaurus,

Seems the problem is Let’s Encrypt trying to resolve CAA records for your domain.

$ dig @a.dnspod.com merge.webportglobal.cn caa

; <<>> DiG 9.11.1 <<>> @a.dnspod.com merge.webportglobal.cn caa
; (2 servers found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Let’s Encrypt MUST receive a response from your DNS servers when it request a CAA record, you don’t need a CAA record defined but your DNS servers MUST provide a valid answer.

In a few days (8th September) this CAA check will be mandatory for all Certificate Authorities.

I don’t know if the problem is dnspod itself or the Great Firewall but if you search dnspod in this forum you will see too much issues with dnspod DNS servers.

I don’t know if you can change the DNS provider but if you can you could try for example cloudflare, it is free and reliable.

Good luck,
sahsanu

Thanks @sahsanu! I’ve just sent a support request to DnsPod; hopefully they’ll give me a way to enter a CAA record or at least respond properly to a inquiry.

If they don’t respond/can’t/won’t, then I’ll take up your advice for Cloudflare!

Cheers!

I waited all weekend for a reply from DNSPod about their CAA support. No reply. So I took @sahsanu 's advice and opened up a free Cloudflare DNS account. It worked perfectly after propagation that only took about 5min.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.