Generate certificate troubleshooting .NET

Hello, I'm trying to get my own certificate using .NET Certes Library.
I have created ASP NET project with console support and deployed on AWS.
1.I executed CreatingACME function and got PEM key.
2.Logged into account using my PEM.
3.Generated token and dnsTxt for my sub domain (peer.littlemozzarella.com)
4. Than I added dns record to my domain: TYPE = TXT NAME = _acme-challenge.peer DATA = dnstxt value
5. Got key authorization and save it to file.
6. Added token to http://your.domain.name/.well-known/acme-challenge/ and checked that everything is working.
7. Executed challenge.Validate(); and got:
Valid
Validated :04/01/2024 15:01:44 +00:00

8. Than I executed order.Generate and here struggled: I got "One or more errors occurred. (Can not finalize order with status 'Valid'.)"
I have already check that I have only one auth context.

Hello @littlemozzarella, welcome to the Let's Encrypt community. :slightly_smiling_face:

That would before the DNS-01 challenge of the Challenge Types - Let's Encrypt.

That would before the HTTP-01 challenge of the Challenge Types - Let's Encrypt.

What Challenge Type are you using?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

2 Likes

With steps 5 and 6 you're, as Bruce is also noticing, mixing up two separate challenges. You don't need to do any of the _acme-challenge TXT DNS stuff to get your key authorization to use with the http-01 challenge.

Also, when trying to get help with a programming issue, it's usually helpful (or even required on some fora) to have some standalone proof of concept of the code you're working with. I.e.: it should do everything for the task at hand, but nothing more than that.

3 Likes

Ports 80 & 443 are filtered, thus you have a firewall or router blocking the Internet from seeing your site; if it is what you want then your only choice is to use the DNS-01 Challenge.

$ nmap -Pn -p80,443 peer.littlemozzarella.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-01 15:56 PDT
Nmap scan report for peer.littlemozzarella.com (13.51.46.167)
Host is up.
rDNS record for 13.51.46.167: ec2-13-51-46-167.eu-north-1.compute.amazonaws.com

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.35 seconds

Edit: this is also shown by the online tool Let's Debug yielding these results https://letsdebug.net/peer.littlemozzarella.com/1854075

ANotWorking
ERROR
peer.littlemozzarella.com has an A (IPv4) record (13.51.46.167) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
A timeout was experienced while communicating with peer.littlemozzarella.com/13.51.46.167: Get "http://peer.littlemozzarella.com/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://peer.littlemozzarella.com/.well-known/acme-challenge/letsdebug-test (using initial IP 13.51.46.167)
@0ms: Dialing 13.51.46.167
@10001ms: Experienced error: context deadline exceeded
IssueFromLetsEncrypt
ERROR
A test authorization for peer.littlemozzarella.com to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
13.51.46.167: Fetching http://peer.littlemozzarella.com/.well-known/acme-challenge/efEOBXdBF9OKZ8mkLEdcmg7JYVF1gXDr_JudwtNftKk: Timeout during connect (likely firewall problem)

Best Practice - Keep Port 80 Open

2 Likes

Okay now it's more clear. So I have to use DNS-01 Challenge. Http Challenge I must turn off

Correct; choose only 1. :slight_smile:

Yes! :slight_smile:

1 Like

Or, if you can open port 80, the other way around.

Also, the error you were (are?) getting ("Can not finalize order with status 'Valid'.") is not related to the challenge, but the step afterwards.

2 Likes

So, It's little bit confusing bcs, I use docker with ubuntu on AWS. So I run docker with param -port PrivateIPs:80:80 so I'm able to connect to peer.littlemozzarella.com (now it's off). It looks like I have to configure firewall on ubuntu.

I will try tomorrow with dns challenge I'll let you know if it works

I still have a problem with certificate but it's another kind of problem...
Certes.AcmeException: Can not find issuer 'C=US,O=(STAGING) Internet Security Research Group,CN=(STAGING) Pretend Pear X1' for certificate 'C=US,O=(STAGING) Internet Security Research Group,CN=(STAGING) Bogus Broccoli X2'.
at Certes.Pkcs.CertificateStore.GetIssuers(Byte[] der)
at Certes.CertificateChainExtensions.ToPem(CertificateChain certificateChain, IKey certKey)
at SignEdgeService.ACMEService.DownloadCertificate() in /src/SignEdgeService/ACMEService.cs:line 515
Can not find issuer 'C=US,O=(STAGING) Internet Security Research Group,CN=(STAGING) Pretend Pear X1' for certificate 'C=US,O=(STAGING) Internet Security Research Group,CN=(STAGING) Bogus Broccoli X2'.

I have already check that validation is succeed but can't find the new record on Let's Debug.
Another thing I can't understand why my web is unreachable for http validation. I have to use HTTP protocol, right ? not HTTPS or FTP ? http://peer.littlemozzarella.com/.well-known/acme-challenge/some_cool_token_here_1 is reachable, and I can download .txt file.
Here is my acme code SignEdgeService/SignEdgeService/ACMEService.cs at main · HappyHakunaMatata/SignEdgeService · GitHub

You may need to switch from staging to production.

2 Likes

See also same discussion Can't get TLS certificate for my domain NET 8.0 C#

2 Likes