GetCert2 failing with Server returned problem (Status: 403)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:adfs.banovallumschool.co.uk

I ran this command:Get certificate process started using GetCert2.exe

It produced this output:
2020-08-28 01:45:09:569 PM
2020-08-28 01:45:09:632 PM Get certificate process started …
2020-08-28 01:45:10:210 PM
2020-08-28 01:45:10:257 PM ( staging mode is in effect (-DoStagingTests=True) )
2020-08-28 01:45:10:335 PM
2020-08-28 01:45:10:476 PM
2020-08-28 01:45:10:601 PM Retrieving new certificate for “adfs.banovallumschool.co.uk” from the certificate provider network …
2020-08-28 01:45:10:694 PM
2020-08-28 01:45:10:772 PM
2020-08-28 01:45:10:897 PM Stage 1 - init ACME workspace …
2020-08-28 01:45:11:007 PM
2020-08-28 01:45:13:948 PM Id Name ComputerName ComputerType State ConfigurationName Availability
2020-08-28 01:45:13:963 PM – ---- ------------ ------------ ----- ----------------- ------------
2020-08-28 01:45:13:979 PM 1 GetCert localhost RemoteMachine Opened Microsoft.PowerShell Available
2020-08-28 01:45:14:088 PM
2020-08-28 01:45:14:198 PM Using Module “C:\GetCert2\ACME-PS”

$global:state = New-ACMEState -Path “C:\GetCert2\AcmeState”
Get-ACMEServiceDirectory $global:state -ServiceName “LetsEncrypt-Staging” -PassThru
2020-08-28 01:45:20:794 PM PSComputerName : localhost
2020-08-28 01:45:20:794 PM RunspaceId : 3d9c27d8-a479-4c38-b4e3-eeff7cff7431
2020-08-28 01:45:20:809 PM ResourceUrl : https://acme-staging-v02.api.letsencrypt.org/directory
2020-08-28 01:45:20:809 PM NewAccount : https://acme-staging-v02.api.letsencrypt.org/acme/new-acct
2020-08-28 01:45:20:809 PM NewAuthz :
2020-08-28 01:45:20:809 PM NewNonce : https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce
2020-08-28 01:45:20:809 PM NewOrder : https://acme-staging-v02.api.letsencrypt.org/acme/new-order
2020-08-28 01:45:20:825 PM KeyChange : https://acme-staging-v02.api.letsencrypt.org/acme/key-change
2020-08-28 01:45:20:825 PM RevokeCert : https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert
2020-08-28 01:45:20:825 PM Meta : AcmeDirectoryMeta
2020-08-28 01:45:20:825 PM local computer.
2020-08-28 01:45:21:169 PM Success.
2020-08-28 01:45:21:325 PM
2020-08-28 01:45:21:419 PM
2020-08-28 01:45:21:544 PM Stage 2 - register domain contact, submit order & authorization request …
2020-08-28 01:45:21:763 PM
2020-08-28 01:45:21:919 PM Using Module “C:\GetCert2\ACME-PS”

New-ACMENonce $global:state
New-ACMEAccountKey $global:state -PassThru
New-ACMEAccount $global:state -EmailAddresses “ataylor@banovallumschool.co.uk” -AcceptTOS

$SanList = (“adfs.banovallumschool.co.uk”)
[AcmeIdentifier] $identifiers = $null
foreach ($SAN in $SanList) { $identifiers += New-ACMEIdentifier $SAN }

$global:order = New-ACMEOrder $global:state -Identifiers $identifiers
$global:authZ = Get-ACMEAuthorization -State $global:state -Order $global:order

[int] $global:SanMap = $null
foreach ($SAN in $SanList) { for ($i=0; $i -lt $global:authZ.Length; $i++) { if ( $global:authZ[$i].Identifier.value -eq $SAN ) { $global:SanMap += $i }}}
2020-08-28 01:45:24:550 PM PSComputerName : localhost
2020-08-28 01:45:24:565 PM RunspaceId : 3d9c27d8-a479-4c38-b4e3-eeff7cff7431
2020-08-28 01:45:24:565 PM RSA : System.Security.Cryptography.RSACng
2020-08-28 01:45:24:565 PM HashSize : 256
2020-08-28 01:45:24:565 PM HashName : SHA256
2020-08-28 01:45:27:170 PM local computer.
2020-08-28 01:45:27:263 PM Success.
2020-08-28 01:45:27:357 PM
2020-08-28 01:45:27:498 PM
2020-08-28 01:45:27:591 PM Stage 3 - Define DNS name to be challenged (“adfs.banovallumschool.co.uk”), setup domain challenge in IIS and submit it to certificate provider …
2020-08-28 01:45:27:716 PM
2020-08-28 01:45:28:170 PM
2020-08-28 01:45:28:263 PM Adjusting “C:\inetpub\wwwroot.well-known\acme-challenge\web.config” …
2020-08-28 01:45:28:420 PM
2020-08-28 01:45:28:498 PM Using Module “C:\GetCert2\ACME-PS”

$challenge = Get-ACMEChallenge $global:state $global:authZ[$global:SanMap[0]] “http-01”

$challengePath = “C:\inetpub\wwwroot.well-known\acme-challenge”
$fileName = $challengePath + “/” + $challenge.Data.Filename
if(-not (Test-Path $challengePath)) { New-Item -Path $challengePath -ItemType Directory }
Set-Content -Path $fileName -Value $challenge.Data.Content -NoNewLine

$challenge.Data.AbsoluteUrl
$challenge | Complete-ACMEChallenge $global:state
2020-08-28 01:45:29:598 PM adfs.banovallumschool.co.uk/.well-known/acme-challenge/z4TgJcXLQ1IJAFl0uxWpWNIZBQPf14AflTVSdbNbmG4
2020-08-28 01:45:29:864 PM PSComputerName : localhost
2020-08-28 01:45:29:879 PM RunspaceId : 3d9c27d8-a479-4c38-b4e3-eeff7cff7431
2020-08-28 01:45:29:879 PM Type :
2020-08-28 01:45:29:895 PM Url :
2020-08-28 01:45:29:895 PM Token :
2020-08-28 01:45:29:910 PM Identifier : dns:adfs.banovallumschool.co.uk
2020-08-28 01:45:29:910 PM Data :
2020-08-28 01:45:29:926 PM local computer.
2020-08-28 01:45:30:270 PM Success.
2020-08-28 01:45:35:385 PM
2020-08-28 01:45:35:432 PM
2020-08-28 01:45:35:510 PM Stage 4 - update challenge from certificate provider …
2020-08-28 01:45:35:635 PM
2020-08-28 01:45:35:744 PM Using Module “C:\GetCert2\ACME-PS”

$global:order | Update-ACMEOrder $global:state -PassThru
2020-08-28 01:45:37:793 PM PSComputerName : localhost
2020-08-28 01:45:37:793 PM RunspaceId : 3d9c27d8-a479-4c38-b4e3-eeff7cff7431
2020-08-28 01:45:37:808 PM ResourceUrl : https://acme-staging-v02.api.letsencrypt.org/acme/order/15368644/138591949
2020-08-28 01:45:37:808 PM Status : invalid
2020-08-28 01:45:37:808 PM Expires : 2020-09-04T12:45:25Z
2020-08-28 01:45:37:808 PM NotBefore :
2020-08-28 01:45:37:824 PM NotAfter :
2020-08-28 01:45:37:824 PM Identifiers : {dns:adfs.banovallumschool.co.uk}
2020-08-28 01:45:37:824 PM AuthorizationUrls : {https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/101275667}
2020-08-28 01:45:37:839 PM FinalizeUrl : https://acme-staging-v02.api.letsencrypt.org/acme/finalize/15368644/138591949
2020-08-28 01:45:37:839 PM CertificateUrl :
2020-08-28 01:45:37:839 PM CSROptions : AcmeCsrOptions
2020-08-28 01:45:37:839 PM local computer.
2020-08-28 01:45:37:918 PM Success.
2020-08-28 01:45:38:058 PM
2020-08-28 01:45:38:230 PM
2020-08-28 01:45:38:339 PM Stage 5 - generate certificate request and submit …
2020-08-28 01:45:38:480 PM
2020-08-28 01:45:38:636 PM Using Module “C:\GetCert2\ACME-PS”

$global:certKey = New-ACMECertificateKey -Path “C:\GetCert2\AcmeState\cert.key.xml”
Complete-ACMEOrder $global:state -Order $global:order
2020-08-28 01:45:41:655 PM Server returned problem (Status: 403).
2020-08-28 01:45:41:655 PM @{type=urn:ietf:params:acme:error:orderNotReady; detail=Order’s status (“invalid”) is not acceptable for finalization;
2020-08-28 01:45:41:671 PM status=403}
2020-08-28 01:45:41:671 PM At C:\GetCert2\InGetCertSession.ps1:14 char:5
2020-08-28 01:45:41:671 PM + Invoke-Command -Session $GetCertSession -ScriptBlock { & $args[0] …
2020-08-28 01:45:41:671 PM + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2020-08-28 01:45:41:686 PM + CategoryInfo : OperationStopped: (Server returned…on; status=403}:String) , RuntimeException
2020-08-28 01:45:41:686 PM + FullyQualifiedErrorId : Server returned problem (Status: 403).
2020-08-28 01:45:41:686 PM @{type=urn:ietf:params:acme:error:orderNotReady; detail=Order’s status (“invalid”) is not acceptable for finalizat
2020-08-28 01:45:41:686 PM ion; status=403}
2020-08-28 01:45:41:702 PM
2020-08-28 01:45:41:842 PM GetCertServiceFault: The sub-process experienced a critical failure.
2020-08-28 01:45:41:952 PM
2020-08-28 01:45:43:624 PM
2020-08-28 01:45:43:749 PM At least one stage failed (or the process was stopped). Check log for errors.

My web server is (include version):IIS IIS v10.0.14393.0

The operating system my web server runs on is (include version):Win Serv 2016 v1607

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): GetCert2 v2.211

I’m not sure what has changed because we renewed the certificate 2 months ago fine but we were using letsencrypt.exe but was told that is now deprecated, so I tried with GetCert2.exe with the failure above.

Any Help gratefully received.
Thanks
Doug

Hi @DBS

that client is buggy.

There

is an invalid-result, but the client ignores that, creates a

certificate request and sees the expected result:

An invalid order can't be finalized. But the error, why the order is invalid, isn't shown, that's a wrong written client.

So you can try it again and again - or use another client.

Thanks JeurgenAuer, Ok I’ll look for another client do you have any suggestions of a suitable Windows IIS client for letsencrypt.

If I try the old letsencrypt.exe client I get this:-
C:\letsencrypt>letsencrypt.exe /?
Let’s Encrypt (Simple Windows ACME Client)
Renewal Period: 60
Certificate Store: WebHosting

ACME Server: https://acme-v01.api.letsencrypt.org/
Config Folder: C:\Users\control\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org
Certificate Folder: C:\Users\control\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org
Loading Signer from C:\Users\control\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\Signer

Getting AcmeServerDirectory
Loading Registration from C:\Users\control\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\Registration

Scanning IIS Site Bindings for Hosts
1: IIS adfs.banovallumschool.co.uk (%SystemDrive%\inetpub\wwwroot)

W: Generate a certificate via WebDav and install it manually.
F: Generate a certificate via FTP/ FTPS and install it manually.
M: Generate a certificate manually.
A: Get certificates for all hosts
Q: Quit
Which host do you want to get a certificate for: M
Enter a host name: adfs.banovallumschool.co.uk
Enter a site path (the web root of the host for http authentication): %SystemDrive%\inetpub\wwwroot

Authorizing Identifier adfs.banovallumschool.co.uk Using Challenge Type http-01
Writing challenge answer to C:\inetpub\wwwroot.well-known/acme-challenge/3tFT7YzEFBx4J_Zc88_nbX6NyYEj22W5Bp3NPaHA_jU
Answer should now be browsable at http://adfs.banovallumschool.co.uk/.well-known/acme-challenge/3tFT7YzEFBx4J_Zc88_nbX6NyYEj22W5Bp3NPaHA_jU
Submitting answer
Refreshing authorization
Authorization Result: invalid


The ACME server was probably unable to reach http://adfs.banovallumschool.co.uk/.well-known/acme-challenge/3tFT7YzEFBx4J_Zc88_nbX6NyYEj22W5Bp3NPaHA_jU

Check in a browser to see if the answer file is being served correctly.


Press enter to continue.

Please read your output: There is your job.

Your configuration doesn't work. You have to fix that.

And ACME-v1 is deprecated, you have to switch to v2.

I get this when I look at the well-known/acme-challenge/3tFT7YzEFBx4J_Zc88_nbX6NyYEj22W5Bp3NPaHA_jU

in ie

http://localhost/.well-known/acme-challenge/3tFT7YzEFBx4J_Zc88_nbX6NyYEj22W5Bp3NPaHA_jU

IIS 10.0 Detailed Error - 500.19 - Internal Server Error

HTTP Error 500.19 - Internal Server Error

The requested page cannot be accessed because the related configuration data for the page is invalid.

Detailed Error Information:

Module CustomErrorModule
Notification SendResponse
Handler StaticFile
Error Code 0x800700b7
Config Error Cannot add duplicate collection entry of type ‘mimeMap’ with unique key attribute ‘fileExtension’ set to ‘.*’
Config File \?\C:\inetpub\wwwroot.well-known\web.config
Requested URL http://localhost:80/.well-known/acme-challenge/3tFT7YzEFBx4J_Zc88_nbX6NyYEj22W5Bp3NPaHA_jU
Physical Path C:\inetpub\wwwroot.well-known\acme-challenge\3tFT7YzEFBx4J_Zc88_nbX6NyYEj22W5Bp3NPaHA_jU
Logon Method Anonymous
Logon User Anonymous

Config Source:

    4:         <staticContent>
    5:             <mimeMap fileExtension=".*" mimeType="application/octet-stream" />
    6:             <mimeMap fileExtension="." mimeType="application/octed-stream" />

Thanks
Doug

Hi JuergenAuer,

I was just using the old deprecated to see if it had better error reporting…

Yes I will have to look at the config or get some help with that to see what has changed over two months, I thought nothing.

Thanks
Doug

So you know what you have to do.

Fix the error you have created.

HI Juergen,
Yes unfortunately it was created by the person setting this up before I got here so I’m trying to work my way through it…
It may be a permissions error.
Thanks
Doug

Please read the output you have shared.

That's not a permission error.

Fundamental .NET error, no, 1+1 isn't 3.

1 Like

Hah Juergen,
You as always are so right 1+1 did not = 3, I had wool over my eyes…
Why I didn’t see the duplicate mime types error when as you pointed out there it was in front of me…
Well I did see through the wool and all is well.
Thanks for your timely help :slight_smile:
Doug

2020-08-28 02:42:12:270 PM Success.
2020-08-28 02:42:12:317 PM
2020-08-28 02:42:12:395 PM A new certificate was successfully installed and bound in IIS.
2020-08-28 02:42:12:442 PM
2020-08-28 02:42:13:348 PM
2020-08-28 02:42:13:380 PM The get certificate process completed successfully.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.