GetCert2 failing with Server returned problem (Status: 403)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:adfs.banovallumschool.co.uk

I ran this command:Get certificate process started using GetCert2.exe

It produced this output:
2020-08-28 01:45:09:569 PM
2020-08-28 01:45:09:632 PM Get certificate process started …
2020-08-28 01:45:10:210 PM
2020-08-28 01:45:10:257 PM ( staging mode is in effect (-DoStagingTests=True) )
2020-08-28 01:45:10:335 PM
2020-08-28 01:45:10:476 PM
2020-08-28 01:45:10:601 PM Retrieving new certificate for “adfs.banovallumschool.co.uk” from the certificate provider network …
2020-08-28 01:45:10:694 PM
2020-08-28 01:45:10:772 PM
2020-08-28 01:45:10:897 PM Stage 1 - init ACME workspace …
2020-08-28 01:45:11:007 PM
2020-08-28 01:45:13:948 PM Id Name ComputerName ComputerType State ConfigurationName Availability
2020-08-28 01:45:13:963 PM – ---- ------------ ------------ ----- ----------------- ------------
2020-08-28 01:45:13:979 PM 1 GetCert localhost RemoteMachine Opened Microsoft.PowerShell Available
2020-08-28 01:45:14:088 PM
2020-08-28 01:45:14:198 PM Using Module “C:\GetCert2\ACME-PS”

$global:state = New-ACMEState -Path “C:\GetCert2\AcmeState”
Get-ACMEServiceDirectory $global:state -ServiceName “LetsEncrypt-Staging” -PassThru
2020-08-28 01:45:20:794 PM PSComputerName : localhost
2020-08-28 01:45:20:794 PM RunspaceId : 3d9c27d8-a479-4c38-b4e3-eeff7cff7431
2020-08-28 01:45:20:809 PM ResourceUrl : https://acme-staging-v02.api.letsencrypt.org/directory
2020-08-28 01:45:20:809 PM NewAccount : https://acme-staging-v02.api.letsencrypt.org/acme/new-acct
2020-08-28 01:45:20:809 PM NewAuthz :
2020-08-28 01:45:20:809 PM NewNonce : https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce
2020-08-28 01:45:20:809 PM NewOrder : https://acme-staging-v02.api.letsencrypt.org/acme/new-order
2020-08-28 01:45:20:825 PM KeyChange : https://acme-staging-v02.api.letsencrypt.org/acme/key-change
2020-08-28 01:45:20:825 PM RevokeCert : https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert
2020-08-28 01:45:20:825 PM Meta : AcmeDirectoryMeta
2020-08-28 01:45:20:825 PM local computer.
2020-08-28 01:45:21:169 PM Success.
2020-08-28 01:45:21:325 PM
2020-08-28 01:45:21:419 PM
2020-08-28 01:45:21:544 PM Stage 2 - register domain contact, submit order & authorization request …
2020-08-28 01:45:21:763 PM
2020-08-28 01:45:21:919 PM Using Module “C:\GetCert2\ACME-PS”

New-ACMENonce $global:state
New-ACMEAccountKey $global:state -PassThru
New-ACMEAccount $global:state -EmailAddresses “ataylor@banovallumschool.co.uk” -AcceptTOS

$SanList = (“adfs.banovallumschool.co.uk”)
[AcmeIdentifier] $identifiers = $null
foreach ($SAN in $SanList) { $identifiers += New-ACMEIdentifier $SAN }

$global:order = New-ACMEOrder $global:state -Identifiers $identifiers
$global:authZ = Get-ACMEAuthorization -State $global:state -Order $global:order

[int] $global:SanMap = $null
foreach ($SAN in $SanList) { for ($i=0; $i -lt $global:authZ.Length; $i++) { if ( $global:authZ[$i].Identifier.value -eq $SAN ) { $global:SanMap += $i }}}
2020-08-28 01:45:24:550 PM PSComputerName : localhost
2020-08-28 01:45:24:565 PM RunspaceId : 3d9c27d8-a479-4c38-b4e3-eeff7cff7431
2020-08-28 01:45:24:565 PM RSA : System.Security.Cryptography.RSACng
2020-08-28 01:45:24:565 PM HashSize : 256
2020-08-28 01:45:24:565 PM HashName : SHA256
2020-08-28 01:45:27:170 PM local computer.
2020-08-28 01:45:27:263 PM Success.
2020-08-28 01:45:27:357 PM
2020-08-28 01:45:27:498 PM
2020-08-28 01:45:27:591 PM Stage 3 - Define DNS name to be challenged (“adfs.banovallumschool.co.uk”), setup domain challenge in IIS and submit it to certificate provider …
2020-08-28 01:45:27:716 PM
2020-08-28 01:45:28:170 PM
2020-08-28 01:45:28:263 PM Adjusting “C:\inetpub\wwwroot.well-known\acme-challenge\web.config” …
2020-08-28 01:45:28:420 PM
2020-08-28 01:45:28:498 PM Using Module “C:\GetCert2\ACME-PS”

$challenge = Get-ACMEChallenge $global:state $global:authZ[$global:SanMap[0]] “http-01”

$challengePath = “C:\inetpub\wwwroot.well-known\acme-challenge”
$fileName = $challengePath + “/” + $challenge.Data.Filename
if(-not (Test-Path $challengePath)) { New-Item -Path $challengePath -ItemType Directory }
Set-Content -Path $fileName -Value $challenge.Data.Content -NoNewLine

$challenge.Data.AbsoluteUrl
$challenge | Complete-ACMEChallenge $global:state
2020-08-28 01:45:29:598 PM adfs.banovallumschool.co.uk/.well-known/acme-challenge/z4TgJcXLQ1IJAFl0uxWpWNIZBQPf14AflTVSdbNbmG4
2020-08-28 01:45:29:864 PM PSComputerName : localhost
2020-08-28 01:45:29:879 PM RunspaceId : 3d9c27d8-a479-4c38-b4e3-eeff7cff7431
2020-08-28 01:45:29:879 PM Type :
2020-08-28 01:45:29:895 PM Url :
2020-08-28 01:45:29:895 PM Token :
2020-08-28 01:45:29:910 PM Identifier : dns:adfs.banovallumschool.co.uk
2020-08-28 01:45:29:910 PM Data :
2020-08-28 01:45:29:926 PM local computer.
2020-08-28 01:45:30:270 PM Success.
2020-08-28 01:45:35:385 PM
2020-08-28 01:45:35:432 PM
2020-08-28 01:45:35:510 PM Stage 4 - update challenge from certificate provider …
2020-08-28 01:45:35:635 PM
2020-08-28 01:45:35:744 PM Using Module “C:\GetCert2\ACME-PS”

$global:order | Update-ACMEOrder $global:state -PassThru
2020-08-28 01:45:37:793 PM PSComputerName : localhost
2020-08-28 01:45:37:793 PM RunspaceId : 3d9c27d8-a479-4c38-b4e3-eeff7cff7431
2020-08-28 01:45:37:808 PM ResourceUrl : https://acme-staging-v02.api.letsencrypt.org/acme/order/15368644/138591949
2020-08-28 01:45:37:808 PM Status : invalid
2020-08-28 01:45:37:808 PM Expires : 2020-09-04T12:45:25Z
2020-08-28 01:45:37:808 PM NotBefore :
2020-08-28 01:45:37:824 PM NotAfter :
2020-08-28 01:45:37:824 PM Identifiers : {dns:adfs.banovallumschool.co.uk}
2020-08-28 01:45:37:824 PM AuthorizationUrls : {https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/101275667}
2020-08-28 01:45:37:839 PM FinalizeUrl : https://acme-staging-v02.api.letsencrypt.org/acme/finalize/15368644/138591949
2020-08-28 01:45:37:839 PM CertificateUrl :
2020-08-28 01:45:37:839 PM CSROptions : AcmeCsrOptions
2020-08-28 01:45:37:839 PM local computer.
2020-08-28 01:45:37:918 PM Success.
2020-08-28 01:45:38:058 PM
2020-08-28 01:45:38:230 PM
2020-08-28 01:45:38:339 PM Stage 5 - generate certificate request and submit …
2020-08-28 01:45:38:480 PM
2020-08-28 01:45:38:636 PM Using Module “C:\GetCert2\ACME-PS”

$global:certKey = New-ACMECertificateKey -Path “C:\GetCert2\AcmeState\cert.key.xml”
Complete-ACMEOrder $global:state -Order $global:order
2020-08-28 01:45:41:655 PM Server returned problem (Status: 403).
2020-08-28 01:45:41:655 PM @{type=urn:ietf:params:acme:error:orderNotReady; detail=Order’s status (“invalid”) is not acceptable for finalization;
2020-08-28 01:45:41:671 PM status=403}
2020-08-28 01:45:41:671 PM At C:\GetCert2\InGetCertSession.ps1:14 char:5
2020-08-28 01:45:41:671 PM + Invoke-Command -Session $GetCertSession -ScriptBlock { & $args[0] …
2020-08-28 01:45:41:671 PM + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2020-08-28 01:45:41:686 PM + CategoryInfo : OperationStopped: (Server returned…on; status=403}:String) , RuntimeException
2020-08-28 01:45:41:686 PM + FullyQualifiedErrorId : Server returned problem (Status: 403).
2020-08-28 01:45:41:686 PM @{type=urn:ietf:params:acme:error:orderNotReady; detail=Order’s status (“invalid”) is not acceptable for finalizat
2020-08-28 01:45:41:686 PM ion; status=403}
2020-08-28 01:45:41:702 PM
2020-08-28 01:45:41:842 PM GetCertServiceFault: The sub-process experienced a critical failure.
2020-08-28 01:45:41:952 PM
2020-08-28 01:45:43:624 PM
2020-08-28 01:45:43:749 PM At least one stage failed (or the process was stopped). Check log for errors.

My web server is (include version):IIS IIS v10.0.14393.0

The operating system my web server runs on is (include version):Win Serv 2016 v1607

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): GetCert2 v2.211

I’m not sure what has changed because we renewed the certificate 2 months ago fine but we were using letsencrypt.exe but was told that is now deprecated, so I tried with GetCert2.exe with the failure above.

Any Help gratefully received.
Thanks
Doug

1 Like

Hi @DBS

that client is buggy.

There

is an invalid-result, but the client ignores that, creates a

certificate request and sees the expected result:

An invalid order can’t be finalized. But the error, why the order is invalid, isn’t shown, that’s a wrong written client.

So you can try it again and again - or use another client.

1 Like

Thanks JeurgenAuer, Ok I’ll look for another client do you have any suggestions of a suitable Windows IIS client for letsencrypt.

If I try the old letsencrypt.exe client I get this:-
C:\letsencrypt>letsencrypt.exe /?
Let’s Encrypt (Simple Windows ACME Client)
Renewal Period: 60
Certificate Store: WebHosting

ACME Server: https://acme-v01.api.letsencrypt.org/
Config Folder: C:\Users\control\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org
Certificate Folder: C:\Users\control\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org
Loading Signer from C:\Users\control\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\Signer

Getting AcmeServerDirectory
Loading Registration from C:\Users\control\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\Registration

Scanning IIS Site Bindings for Hosts
1: IIS adfs.banovallumschool.co.uk (%SystemDrive%\inetpub\wwwroot)

W: Generate a certificate via WebDav and install it manually.
F: Generate a certificate via FTP/ FTPS and install it manually.
M: Generate a certificate manually.
A: Get certificates for all hosts
Q: Quit
Which host do you want to get a certificate for: M
Enter a host name: adfs.banovallumschool.co.uk
Enter a site path (the web root of the host for http authentication): %SystemDrive%\inetpub\wwwroot

Authorizing Identifier adfs.banovallumschool.co.uk Using Challenge Type http-01
Writing challenge answer to C:\inetpub\wwwroot.well-known/acme-challenge/3tFT7YzEFBx4J_Zc88_nbX6NyYEj22W5Bp3NPaHA_jU
Answer should now be browsable at http://adfs.banovallumschool.co.uk/.well-known/acme-challenge/3tFT7YzEFBx4J_Zc88_nbX6NyYEj22W5Bp3NPaHA_jU
Submitting answer
Refreshing authorization
Authorization Result: invalid


The ACME server was probably unable to reach http://adfs.banovallumschool.co.uk/.well-known/acme-challenge/3tFT7YzEFBx4J_Zc88_nbX6NyYEj22W5Bp3NPaHA_jU

Check in a browser to see if the answer file is being served correctly.


Press enter to continue.

Please read your output: There is your job.

Your configuration doesn’t work. You have to fix that.

And ACME-v1 is deprecated, you have to switch to v2.

1 Like

I get this when I look at the well-known/acme-challenge/3tFT7YzEFBx4J_Zc88_nbX6NyYEj22W5Bp3NPaHA_jU

in ie

http://localhost/.well-known/acme-challenge/3tFT7YzEFBx4J_Zc88_nbX6NyYEj22W5Bp3NPaHA_jU

IIS 10.0 Detailed Error - 500.19 - Internal Server Error

HTTP Error 500.19 - Internal Server Error

The requested page cannot be accessed because the related configuration data for the page is invalid.

Detailed Error Information:

Module CustomErrorModule
Notification SendResponse
Handler StaticFile
Error Code 0x800700b7
Config Error Cannot add duplicate collection entry of type ‘mimeMap’ with unique key attribute ‘fileExtension’ set to ‘.*’
Config File \?\C:\inetpub\wwwroot.well-known\web.config
Requested URL http://localhost:80/.well-known/acme-challenge/3tFT7YzEFBx4J_Zc88_nbX6NyYEj22W5Bp3NPaHA_jU
Physical Path C:\inetpub\wwwroot.well-known\acme-challenge\3tFT7YzEFBx4J_Zc88_nbX6NyYEj22W5Bp3NPaHA_jU
Logon Method Anonymous
Logon User Anonymous

Config Source:

    4:         <staticContent>
    5:             <mimeMap fileExtension=".*" mimeType="application/octet-stream" />
    6:             <mimeMap fileExtension="." mimeType="application/octed-stream" />

Thanks
Doug

Hi JuergenAuer,

I was just using the old deprecated to see if it had better error reporting…

Yes I will have to look at the config or get some help with that to see what has changed over two months, I thought nothing.

Thanks
Doug

So you know what you have to do.

Fix the error you have created.

1 Like

HI Juergen,
Yes unfortunately it was created by the person setting this up before I got here so I’m trying to work my way through it…
It may be a permissions error.
Thanks
Doug

Please read the output you have shared.

That’s not a permission error.

Fundamental .NET error, no, 1+1 isn’t 3.

2 Likes

Hah Juergen,
You as always are so right 1+1 did not = 3, I had wool over my eyes…
Why I didn’t see the duplicate mime types error when as you pointed out there it was in front of me…
Well I did see through the wool and all is well.
Thanks for your timely help :slight_smile:
Doug

2020-08-28 02:42:12:270 PM Success.
2020-08-28 02:42:12:317 PM
2020-08-28 02:42:12:395 PM A new certificate was successfully installed and bound in IIS.
2020-08-28 02:42:12:442 PM
2020-08-28 02:42:13:348 PM
2020-08-28 02:42:13:380 PM The get certificate process completed successfully.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.