Gettin 403 error when renewing or creating a certificatwe

michael.schindler · March 3, 2020, 8:27pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:degree.unco.edu

I ran this command:letsencrypt.exe

It produced this output:

[INFO] A Simple ACME Client for Windows (WACS)
[INFO] Software version 1910.0.6645.39719 (RELEASE)
[INFO] IIS version 8.5
[INFO] ACME server https://acme-v01.api.letsencrypt.org/
[INFO] Please report issues at https://github.com/PKISharp/win-acme

N: Create new certificate
M: Create new certificate with advanced options
L: List scheduled renewals
R: Renew scheduled
S: Renew specific
A: Renew all
V: Revoke certificate
C: Cancel scheduled renewal
X: Cancel all scheduled renewals
Q: Quit

Please choose from the menu: N

[INFO] Running in Simple mode

1: Single binding of an IIS site
2: SAN certificate for all bindings of an IIS site
3: SAN certificate for all bindings of multiple IIS sites
4: Manually input host names
C: Cancel

Which kind of certificate would you like to create?: 2

[INFO] No valid hosts found for Default Web Site.

output omitted
C: Cancel

Choose site: 21

degree.unco.edu
unco.stage.academicpartnerships.com
www.degree.unco.edu

Press enter to include all listed hosts, or type a comma-separated lists of exc
lusions: unco.stage.academicpartnerships.com

[INFO] Plugin IISSite generated target [IISSite] (SiteId 17) [3 bindings - degr
ee.unco.edu, … @ D:\Web Sites\degree.unco.edu]
[INFO] Authorize identifier: degree.unco.edu
[INFO] Authorizing degree.unco.edu using http-01 validation (SelfHosting)
[INFO] Answer should now be browsable at http://degree.unco.edu/.well-known/acm
e-challenge/Rw51JytSL4SytMkGDzbh6zV4bQa08n0tq9Ce8gmUtrk
[EROR] Authorization result: invalid
[INFO] Authorize identifier: www.degree.unco.edu
[INFO] Authorizing www.degree.unco.edu using http-01 validation (SelfHosting)
[INFO] Answer should now be browsable at http://www.degree.unco.edu/.well-known
/acme-challenge/1aoeK8byVlw72hAK-v-V7amjm_S3smv1-iHC5Yi-x_c
[EROR] Authorization result: invalid
[EROR] ACME server reported:
[EROR] [type] urn:acme:error:unauthorized
[EROR] [detail] Invalid response from https://degree.unco.edu/.well-known/acme-
challenge/rw51jytsl4sytmkgdzbh6zv4bqa08n0tq9ce8gmutrk [199.47.88.47]: “\r\n<!doc
type html>\r\n<html lang=“en” \r\n\t\r\n>\r\n\r\n<meta http-equiv=“X-UA
-Compatible” content=“IE=edge,chrome=1” />\r\n<meta chars”
[EROR] [status] 403
[EROR] Create certificate failed

N: Create new certificate
M: Create new certificate with advanced options
L: List scheduled renewals
R: Renew scheduled
S: Renew specific
A: Renew all
V: Revoke certificate
C: Cancel scheduled renewal
X: Cancel all scheduled renewals
Q: Quit

Please choose from the menu:
My web server is (include version):

The operating system my web server runs on is (include version):iis 8.0

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

yuriks · March 3, 2020, 8:30pm

The server failed to validate your domains. Please ensure that your server is configured correctly such that the challenge file is put in the directory that's served from that path on the domain.

michael.schindler · March 3, 2020, 8:30pm

Due to the CAA issue we had 5 of these to do. 2 completed without issue. One finally worked. the last keep giving a 403 error
Mike

michael.schindler · March 3, 2020, 8:32pm

I do not see the challenge in the folder
Mike

yuriks · March 3, 2020, 8:35pm

It’s likely the client removes the challenge after the failed validation. I’d double-check all your configuration and perhaps watch the relevant directories while renewal is in progress.

michael.schindler · March 3, 2020, 8:40pm

I have done this all and I watched the folder and the .well-known never appeared. We have updated these sites several times in the past and this is the first time we have had an issue

Mike

yuriks · March 3, 2020, 8:44pm

If the challenge never shows up in your webroot then this isn't an issue on the Let's Encrypt side.

That's what the server is getting when it tries to retrieve the challenge from your domain. It's truncated in the log but it looks like it could be a 404 response page. Unfortunately I don't know about your specific client to be able to help more with this.

michael.schindler · March 3, 2020, 9:13pm

I was able to get this to work. I had to remove the http --> https redirect off my site. It appears as if the servers that check the challenge are already rejecting the certificates

Mike

yuriks · March 3, 2020, 9:16pm

We haven’t actually revoked any certificates yet, so unless you manually revoked them using the API, there must’ve been some other issue serving the HTTPS website. Either way, glad you got it resolved.

system · April 2, 2020, 9:16pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.