GetCert2 failing with Server returned problem (Status: 403)

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:adfs.banovallumschool.co.uk

I ran this command:Get certificate process started using GetCert2.exe

It produced this output:
2020-08-28 01:45:09:569 PM
2020-08-28 01:45:09:632 PM Get certificate process started ā€¦
2020-08-28 01:45:10:210 PM
2020-08-28 01:45:10:257 PM ( staging mode is in effect (-DoStagingTests=True) )
2020-08-28 01:45:10:335 PM
2020-08-28 01:45:10:476 PM
2020-08-28 01:45:10:601 PM Retrieving new certificate for ā€œadfs.banovallumschool.co.ukā€ from the certificate provider network ā€¦
2020-08-28 01:45:10:694 PM
2020-08-28 01:45:10:772 PM
2020-08-28 01:45:10:897 PM Stage 1 - init ACME workspace ā€¦
2020-08-28 01:45:11:007 PM
2020-08-28 01:45:13:948 PM Id Name ComputerName ComputerType State ConfigurationName Availability
2020-08-28 01:45:13:963 PM ā€“ ---- ------------ ------------ ----- ----------------- ------------
2020-08-28 01:45:13:979 PM 1 GetCert localhost RemoteMachine Opened Microsoft.PowerShell Available
2020-08-28 01:45:14:088 PM
2020-08-28 01:45:14:198 PM Using Module ā€œC:\GetCert2\ACME-PSā€

$global:state = New-ACMEState -Path ā€œC:\GetCert2\AcmeStateā€
Get-ACMEServiceDirectory $global:state -ServiceName ā€œLetsEncrypt-Stagingā€ -PassThru
2020-08-28 01:45:20:794 PM PSComputerName : localhost
2020-08-28 01:45:20:794 PM RunspaceId : 3d9c27d8-a479-4c38-b4e3-eeff7cff7431
2020-08-28 01:45:20:809 PM ResourceUrl : https://acme-staging-v02.api.letsencrypt.org/directory
2020-08-28 01:45:20:809 PM NewAccount : https://acme-staging-v02.api.letsencrypt.org/acme/new-acct
2020-08-28 01:45:20:809 PM NewAuthz :
2020-08-28 01:45:20:809 PM NewNonce : https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce
2020-08-28 01:45:20:809 PM NewOrder : https://acme-staging-v02.api.letsencrypt.org/acme/new-order
2020-08-28 01:45:20:825 PM KeyChange : https://acme-staging-v02.api.letsencrypt.org/acme/key-change
2020-08-28 01:45:20:825 PM RevokeCert : https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert
2020-08-28 01:45:20:825 PM Meta : AcmeDirectoryMeta
2020-08-28 01:45:20:825 PM local computer.
2020-08-28 01:45:21:169 PM Success.
2020-08-28 01:45:21:325 PM
2020-08-28 01:45:21:419 PM
2020-08-28 01:45:21:544 PM Stage 2 - register domain contact, submit order & authorization request ā€¦
2020-08-28 01:45:21:763 PM
2020-08-28 01:45:21:919 PM Using Module ā€œC:\GetCert2\ACME-PSā€

New-ACMENonce $global:state
New-ACMEAccountKey $global:state -PassThru
New-ACMEAccount $global:state -EmailAddresses ā€œataylor@banovallumschool.co.ukā€ -AcceptTOS

$SanList = (ā€œadfs.banovallumschool.co.ukā€)
[AcmeIdentifier] $identifiers = $null
foreach ($SAN in $SanList) { $identifiers += New-ACMEIdentifier $SAN }

$global:order = New-ACMEOrder $global:state -Identifiers $identifiers
$global:authZ = Get-ACMEAuthorization -State $global:state -Order $global:order

[int] $global:SanMap = $null
foreach ($SAN in $SanList) { for ($i=0; $i -lt $global:authZ.Length; $i++) { if ( $global:authZ[$i].Identifier.value -eq $SAN ) { $global:SanMap += $i }}}
2020-08-28 01:45:24:550 PM PSComputerName : localhost
2020-08-28 01:45:24:565 PM RunspaceId : 3d9c27d8-a479-4c38-b4e3-eeff7cff7431
2020-08-28 01:45:24:565 PM RSA : System.Security.Cryptography.RSACng
2020-08-28 01:45:24:565 PM HashSize : 256
2020-08-28 01:45:24:565 PM HashName : SHA256
2020-08-28 01:45:27:170 PM local computer.
2020-08-28 01:45:27:263 PM Success.
2020-08-28 01:45:27:357 PM
2020-08-28 01:45:27:498 PM
2020-08-28 01:45:27:591 PM Stage 3 - Define DNS name to be challenged (ā€œadfs.banovallumschool.co.ukā€), setup domain challenge in IIS and submit it to certificate provider ā€¦
2020-08-28 01:45:27:716 PM
2020-08-28 01:45:28:170 PM
2020-08-28 01:45:28:263 PM Adjusting ā€œC:\inetpub\wwwroot.well-known\acme-challenge\web.configā€ ā€¦
2020-08-28 01:45:28:420 PM
2020-08-28 01:45:28:498 PM Using Module ā€œC:\GetCert2\ACME-PSā€

$challenge = Get-ACMEChallenge $global:state $global:authZ[$global:SanMap[0]] ā€œhttp-01ā€

$challengePath = ā€œC:\inetpub\wwwroot.well-known\acme-challengeā€
$fileName = $challengePath + ā€œ/ā€ + $challenge.Data.Filename
if(-not (Test-Path $challengePath)) { New-Item -Path $challengePath -ItemType Directory }
Set-Content -Path $fileName -Value $challenge.Data.Content -NoNewLine

$challenge.Data.AbsoluteUrl
$challenge | Complete-ACMEChallenge $global:state
2020-08-28 01:45:29:598 PM adfs.banovallumschool.co.uk/.well-known/acme-challenge/z4TgJcXLQ1IJAFl0uxWpWNIZBQPf14AflTVSdbNbmG4
2020-08-28 01:45:29:864 PM PSComputerName : localhost
2020-08-28 01:45:29:879 PM RunspaceId : 3d9c27d8-a479-4c38-b4e3-eeff7cff7431
2020-08-28 01:45:29:879 PM Type :
2020-08-28 01:45:29:895 PM Url :
2020-08-28 01:45:29:895 PM Token :
2020-08-28 01:45:29:910 PM Identifier : dns:adfs.banovallumschool.co.uk
2020-08-28 01:45:29:910 PM Data :
2020-08-28 01:45:29:926 PM local computer.
2020-08-28 01:45:30:270 PM Success.
2020-08-28 01:45:35:385 PM
2020-08-28 01:45:35:432 PM
2020-08-28 01:45:35:510 PM Stage 4 - update challenge from certificate provider ā€¦
2020-08-28 01:45:35:635 PM
2020-08-28 01:45:35:744 PM Using Module ā€œC:\GetCert2\ACME-PSā€

$global:order | Update-ACMEOrder $global:state -PassThru
2020-08-28 01:45:37:793 PM PSComputerName : localhost
2020-08-28 01:45:37:793 PM RunspaceId : 3d9c27d8-a479-4c38-b4e3-eeff7cff7431
2020-08-28 01:45:37:808 PM ResourceUrl : https://acme-staging-v02.api.letsencrypt.org/acme/order/15368644/138591949
2020-08-28 01:45:37:808 PM Status : invalid
2020-08-28 01:45:37:808 PM Expires : 2020-09-04T12:45:25Z
2020-08-28 01:45:37:808 PM NotBefore :
2020-08-28 01:45:37:824 PM NotAfter :
2020-08-28 01:45:37:824 PM Identifiers : {dns:adfs.banovallumschool.co.uk}
2020-08-28 01:45:37:824 PM AuthorizationUrls : {https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/101275667}
2020-08-28 01:45:37:839 PM FinalizeUrl : https://acme-staging-v02.api.letsencrypt.org/acme/finalize/15368644/138591949
2020-08-28 01:45:37:839 PM CertificateUrl :
2020-08-28 01:45:37:839 PM CSROptions : AcmeCsrOptions
2020-08-28 01:45:37:839 PM local computer.
2020-08-28 01:45:37:918 PM Success.
2020-08-28 01:45:38:058 PM
2020-08-28 01:45:38:230 PM
2020-08-28 01:45:38:339 PM Stage 5 - generate certificate request and submit ā€¦
2020-08-28 01:45:38:480 PM
2020-08-28 01:45:38:636 PM Using Module ā€œC:\GetCert2\ACME-PSā€

$global:certKey = New-ACMECertificateKey -Path ā€œC:\GetCert2\AcmeState\cert.key.xmlā€
Complete-ACMEOrder $global:state -Order $global:order
2020-08-28 01:45:41:655 PM Server returned problem (Status: 403).
2020-08-28 01:45:41:655 PM @{type=urn:ietf:params:acme:error:orderNotReady; detail=Orderā€™s status (ā€œinvalidā€) is not acceptable for finalization;
2020-08-28 01:45:41:671 PM status=403}
2020-08-28 01:45:41:671 PM At C:\GetCert2\InGetCertSession.ps1:14 char:5
2020-08-28 01:45:41:671 PM + Invoke-Command -Session $GetCertSession -ScriptBlock { & $args[0] ā€¦
2020-08-28 01:45:41:671 PM + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2020-08-28 01:45:41:686 PM + CategoryInfo : OperationStopped: (Server returnedā€¦on; status=403}:String) , RuntimeException
2020-08-28 01:45:41:686 PM + FullyQualifiedErrorId : Server returned problem (Status: 403).
2020-08-28 01:45:41:686 PM @{type=urn:ietf:params:acme:error:orderNotReady; detail=Orderā€™s status (ā€œinvalidā€) is not acceptable for finalizat
2020-08-28 01:45:41:686 PM ion; status=403}
2020-08-28 01:45:41:702 PM
2020-08-28 01:45:41:842 PM GetCertServiceFault: The sub-process experienced a critical failure.
2020-08-28 01:45:41:952 PM
2020-08-28 01:45:43:624 PM
2020-08-28 01:45:43:749 PM At least one stage failed (or the process was stopped). Check log for errors.

My web server is (include version):IIS IIS v10.0.14393.0

The operating system my web server runs on is (include version):Win Serv 2016 v1607

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I donā€™t know):YES

Iā€™m using a control panel to manage my site (no, or provide the name and version of the control panel):NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if youā€™re using Certbot): GetCert2 v2.211

Iā€™m not sure what has changed because we renewed the certificate 2 months ago fine but we were using letsencrypt.exe but was told that is now deprecated, so I tried with GetCert2.exe with the failure above.

Any Help gratefully received.
Thanks
Doug

2

Hi @DBS

that client is buggy.

There

is an invalid-result, but the client ignores that, creates a

certificate request and sees the expected result:

An invalid order can't be finalized. But the error, why the order is invalid, isn't shown, that's a wrong written client.

So you can try it again and again - or use another client.

3

Thanks JeurgenAuer, Ok Iā€™ll look for another client do you have any suggestions of a suitable Windows IIS client for letsencrypt.

If I try the old letsencrypt.exe client I get this:-
C:\letsencrypt>letsencrypt.exe /?
Letā€™s Encrypt (Simple Windows ACME Client)
Renewal Period: 60
Certificate Store: WebHosting

ACME Server: https://acme-v01.api.letsencrypt.org/
Config Folder: C:\Users\control\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org
Certificate Folder: C:\Users\control\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org
Loading Signer from C:\Users\control\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\Signer

Getting AcmeServerDirectory
Loading Registration from C:\Users\control\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\Registration

Scanning IIS Site Bindings for Hosts
1: IIS adfs.banovallumschool.co.uk (%SystemDrive%\inetpub\wwwroot)

W: Generate a certificate via WebDav and install it manually.
F: Generate a certificate via FTP/ FTPS and install it manually.
M: Generate a certificate manually.
A: Get certificates for all hosts
Q: Quit
Which host do you want to get a certificate for: M
Enter a host name: adfs.banovallumschool.co.uk
Enter a site path (the web root of the host for http authentication): %SystemDrive%\inetpub\wwwroot

Authorizing Identifier adfs.banovallumschool.co.uk Using Challenge Type http-01
Writing challenge answer to C:\inetpub\wwwroot.well-known/acme-challenge/3tFT7YzEFBx4J_Zc88_nbX6NyYEj22W5Bp3NPaHA_jU
Answer should now be browsable at http://adfs.banovallumschool.co.uk/.well-known/acme-challenge/3tFT7YzEFBx4J_Zc88_nbX6NyYEj22W5Bp3NPaHA_jU
Submitting answer
Refreshing authorization
Authorization Result: invalid

The ACME server was probably unable to reach http://adfs.banovallumschool.co.uk/.well-known/acme-challenge/3tFT7YzEFBx4J_Zc88_nbX6NyYEj22W5Bp3NPaHA_jU

Check in a browser to see if the answer file is being served correctly.

Press enter to continue.

4

Please read your output: There is your job.

Your configuration doesn't work. You have to fix that.

And ACME-v1 is deprecated, you have to switch to v2.

5

I get this when I look at the well-known/acme-challenge/3tFT7YzEFBx4J_Zc88_nbX6NyYEj22W5Bp3NPaHA_jU

in ie

http://localhost/.well-known/acme-challenge/3tFT7YzEFBx4J_Zc88_nbX6NyYEj22W5Bp3NPaHA_jU

IIS 10.0 Detailed Error - 500.19 - Internal Server Error

HTTP Error 500.19 - Internal Server Error

The requested page cannot be accessed because the related configuration data for the page is invalid.

Detailed Error Information:

Module CustomErrorModule
Notification SendResponse
Handler StaticFile
Error Code 0x800700b7
Config Error Cannot add duplicate collection entry of type ā€˜mimeMapā€™ with unique key attribute ā€˜fileExtensionā€™ set to ā€˜.*ā€™
Config File \?\C:\inetpub\wwwroot.well-known\web.config
Requested URL http://localhost:80/.well-known/acme-challenge/3tFT7YzEFBx4J_Zc88_nbX6NyYEj22W5Bp3NPaHA_jU
Physical Path C:\inetpub\wwwroot.well-known\acme-challenge\3tFT7YzEFBx4J_Zc88_nbX6NyYEj22W5Bp3NPaHA_jU
Logon Method Anonymous
Logon User Anonymous

Config Source:

    4:         <staticContent>
    5:             <mimeMap fileExtension=".*" mimeType="application/octet-stream" />
    6:             <mimeMap fileExtension="." mimeType="application/octed-stream" />

Thanks
Doug

6

Hi JuergenAuer,

I was just using the old deprecated to see if it had better error reportingā€¦

Yes I will have to look at the config or get some help with that to see what has changed over two months, I thought nothing.

Thanks
Doug

7

So you know what you have to do.

Fix the error you have created.

8

HI Juergen,
Yes unfortunately it was created by the person setting this up before I got here so Iā€™m trying to work my way through itā€¦
It may be a permissions error.
Thanks
Doug

9

Please read the output you have shared.

That's not a permission error.

Fundamental .NET error, no, 1+1 isn't 3.

1 Like
10

Hah Juergen,
You as always are so right 1+1 did not = 3, I had wool over my eyesā€¦
Why I didnā€™t see the duplicate mime types error when as you pointed out there it was in front of meā€¦
Well I did see through the wool and all is well.
Thanks for your timely help :slight_smile:
Doug

2020-08-28 02:42:12:270 PM Success.
2020-08-28 02:42:12:317 PM
2020-08-28 02:42:12:395 PM A new certificate was successfully installed and bound in IIS.
2020-08-28 02:42:12:442 PM
2020-08-28 02:42:13:348 PM
2020-08-28 02:42:13:380 PM The get certificate process completed successfully.

2 Likes
11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.